author | Julien Cristau <julien.cristau@logilab.fr> |
Mon, 09 Nov 2015 16:21:29 +0100 | |
changeset 10879 | 3193d9ede8dd |
parent 10769 | c45f4bcff3aa |
permissions | -rw-r--r-- |
9981
7099bbd685aa
[hooks/security] allow edition of attributes with permissive permissions
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9586
diff
changeset
|
1 |
# copyright 2003-2014 LOGILAB S.A. (Paris, FRANCE), all rights reserved. |
5421
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
2 |
# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
3 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
4 |
# This file is part of CubicWeb. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
5 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
6 |
# CubicWeb is free software: you can redistribute it and/or modify it under the |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
7 |
# terms of the GNU Lesser General Public License as published by the Free |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
8 |
# Software Foundation, either version 2.1 of the License, or (at your option) |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
9 |
# any later version. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
10 |
# |
5424
8ecbcbff9777
replace logilab-common by CubicWeb in disclaimer
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5421
diff
changeset
|
11 |
# CubicWeb is distributed in the hope that it will be useful, but WITHOUT |
5421
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
12 |
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
13 |
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
14 |
# details. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
15 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
16 |
# You should have received a copy of the GNU Lesser General Public License along |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
17 |
# with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
5886 | 18 |
"""functional tests for server'security""" |
19 |
||
10609
e2d8e81bfe68
[py3k] import range using six.moves
Rémi Cardona <remi.cardona@logilab.fr>
parents:
10600
diff
changeset
|
20 |
from six.moves import range |
e2d8e81bfe68
[py3k] import range using six.moves
Rémi Cardona <remi.cardona@logilab.fr>
parents:
10600
diff
changeset
|
21 |
|
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
22 |
from logilab.common.testlib import unittest_main |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
23 |
|
2773
b2530e3e0afb
[testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
24 |
from cubicweb.devtools.testlib import CubicWebTC |
8546
3d2038d6f20d
[sources/native] automatically update passwords using deprecated hashes on login
Julien Cristau <julien.cristau@logilab.fr>
parents:
8488
diff
changeset
|
25 |
from cubicweb import Unauthorized, ValidationError, QueryError, Binary |
8452
1ad42383a9ec
[rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156)
Florent Cayré <florent.cayre@logilab.fr>
parents:
8075
diff
changeset
|
26 |
from cubicweb.schema import ERQLExpression |
9954
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
27 |
from cubicweb.server.querier import get_local_checks, check_relations_read_access |
8546
3d2038d6f20d
[sources/native] automatically update passwords using deprecated hashes on login
Julien Cristau <julien.cristau@logilab.fr>
parents:
8488
diff
changeset
|
28 |
from cubicweb.server.utils import _CRYPTO_CTX |
0 | 29 |
|
8452
1ad42383a9ec
[rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156)
Florent Cayré <florent.cayre@logilab.fr>
parents:
8075
diff
changeset
|
30 |
|
2773
b2530e3e0afb
[testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
31 |
class BaseSecurityTC(CubicWebTC): |
0 | 32 |
|
7072
bcf96f2a4c5d
[test] properly close connections
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6410
diff
changeset
|
33 |
def setup_database(self): |
bcf96f2a4c5d
[test] properly close connections
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6410
diff
changeset
|
34 |
super(BaseSecurityTC, self).setup_database() |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
35 |
with self.admin_access.client_cnx() as cnx: |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
36 |
self.create_user(cnx, u'iaminusersgrouponly') |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
37 |
hash = _CRYPTO_CTX.encrypt('oldpassword', scheme='des_crypt') |
10769
c45f4bcff3aa
[server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents:
10609
diff
changeset
|
38 |
self.create_user(cnx, u'oldpassword', password=Binary(hash.encode('ascii'))) |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
39 |
|
0 | 40 |
class LowLevelSecurityFunctionTC(BaseSecurityTC): |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
41 |
|
9954
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
42 |
def test_check_relation_read_access(self): |
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
43 |
rql = u'Personne U WHERE U nom "managers"' |
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
44 |
rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0] |
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
45 |
nom = self.repo.schema['Personne'].rdef('nom') |
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
46 |
with self.temporary_permissions((nom, {'read': ('users', 'managers')})): |
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
47 |
with self.admin_access.repo_cnx() as cnx: |
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
48 |
self.repo.vreg.solutions(cnx, rqlst, None) |
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
49 |
check_relations_read_access(cnx, rqlst, {}) |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
50 |
with self.new_access(u'anon').repo_cnx() as cnx: |
9954
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
51 |
self.assertRaises(Unauthorized, |
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
52 |
check_relations_read_access, |
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
53 |
cnx, rqlst, {}) |
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
54 |
self.assertRaises(Unauthorized, cnx.execute, rql) |
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
55 |
|
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
56 |
def test_get_local_checks(self): |
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
57 |
rql = u'Personne U WHERE U nom "managers"' |
3252
c0e10da6f1cf
tests update
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2920
diff
changeset
|
58 |
rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0] |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
59 |
with self.temporary_permissions(Personne={'read': ('users', 'managers')}): |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
60 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
61 |
self.repo.vreg.solutions(cnx, rqlst, None) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
62 |
solution = rqlst.solutions[0] |
9954
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
63 |
localchecks = get_local_checks(cnx, rqlst, solution) |
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
64 |
self.assertEqual({}, localchecks) |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
65 |
with self.new_access(u'anon').repo_cnx() as cnx: |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
66 |
self.assertRaises(Unauthorized, |
9954
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
67 |
get_local_checks, |
79d34ba48612
[CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
9782
diff
changeset
|
68 |
cnx, rqlst, solution) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
69 |
self.assertRaises(Unauthorized, cnx.execute, rql) |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
70 |
|
0 | 71 |
def test_upassword_not_selectable(self): |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
72 |
with self.admin_access.repo_cnx() as cnx: |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
73 |
self.assertRaises(Unauthorized, |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
74 |
cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P') |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
75 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
76 |
self.assertRaises(Unauthorized, |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
77 |
cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P') |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
78 |
|
8546
3d2038d6f20d
[sources/native] automatically update passwords using deprecated hashes on login
Julien Cristau <julien.cristau@logilab.fr>
parents:
8488
diff
changeset
|
79 |
def test_update_password(self): |
9777
b2e47617a94e
[tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9586
diff
changeset
|
80 |
"""Ensure that if a user's password is stored with a deprecated hash, |
b2e47617a94e
[tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9586
diff
changeset
|
81 |
it will be updated on next login |
b2e47617a94e
[tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9586
diff
changeset
|
82 |
""" |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
83 |
with self.repo.internal_cnx() as cnx: |
10769
c45f4bcff3aa
[server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents:
10609
diff
changeset
|
84 |
oldhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser " |
c45f4bcff3aa
[server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents:
10609
diff
changeset
|
85 |
"WHERE cw_login = 'oldpassword'").fetchone()[0] |
c45f4bcff3aa
[server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents:
10609
diff
changeset
|
86 |
oldhash = self.repo.system_source.binary_to_str(oldhash) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
87 |
self.repo.close(self.repo.connect('oldpassword', password='oldpassword')) |
10769
c45f4bcff3aa
[server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents:
10609
diff
changeset
|
88 |
newhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser " |
c45f4bcff3aa
[server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents:
10609
diff
changeset
|
89 |
"WHERE cw_login = 'oldpassword'").fetchone()[0] |
c45f4bcff3aa
[server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents:
10609
diff
changeset
|
90 |
newhash = self.repo.system_source.binary_to_str(newhash) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
91 |
self.assertNotEqual(oldhash, newhash) |
10769
c45f4bcff3aa
[server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents:
10609
diff
changeset
|
92 |
self.assertTrue(newhash.startswith(b'$6$')) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
93 |
self.repo.close(self.repo.connect('oldpassword', password='oldpassword')) |
10769
c45f4bcff3aa
[server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents:
10609
diff
changeset
|
94 |
newnewhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser WHERE " |
c45f4bcff3aa
[server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents:
10609
diff
changeset
|
95 |
"cw_login = 'oldpassword'").fetchone()[0] |
c45f4bcff3aa
[server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents:
10609
diff
changeset
|
96 |
newnewhash = self.repo.system_source.binary_to_str(newnewhash) |
c45f4bcff3aa
[server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents:
10609
diff
changeset
|
97 |
self.assertEqual(newhash, newnewhash) |
8546
3d2038d6f20d
[sources/native] automatically update passwords using deprecated hashes on login
Julien Cristau <julien.cristau@logilab.fr>
parents:
8488
diff
changeset
|
98 |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
99 |
|
5888
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
100 |
class SecurityRewritingTC(BaseSecurityTC): |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
101 |
def hijack_source_execute(self): |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
102 |
def syntax_tree_search(*args, **kwargs): |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
103 |
self.query = (args, kwargs) |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
104 |
return [] |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
105 |
self.repo.system_source.syntax_tree_search = syntax_tree_search |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
106 |
|
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
107 |
def tearDown(self): |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
108 |
self.repo.system_source.__dict__.pop('syntax_tree_search', None) |
7072
bcf96f2a4c5d
[test] properly close connections
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
6410
diff
changeset
|
109 |
super(SecurityRewritingTC, self).tearDown() |
5888
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
110 |
|
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
111 |
def test_not_relation_read_security(self): |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
112 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
113 |
self.hijack_source_execute() |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
114 |
cnx.execute('Any U WHERE NOT A todo_by U, A is Affaire') |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
115 |
self.assertEqual(self.query[0][1].as_string(), |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
116 |
'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire') |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
117 |
cnx.execute('Any U WHERE NOT EXISTS(A todo_by U), A is Affaire') |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
118 |
self.assertEqual(self.query[0][1].as_string(), |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
119 |
'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire') |
5888
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
120 |
|
0 | 121 |
class SecurityTC(BaseSecurityTC): |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
122 |
|
0 | 123 |
def setUp(self): |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
124 |
super(SecurityTC, self).setUp() |
0 | 125 |
# implicitly test manager can add some entities |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
126 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
127 |
cnx.execute("INSERT Affaire X: X sujet 'cool'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
128 |
cnx.execute("INSERT Societe X: X nom 'logilab'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
129 |
cnx.execute("INSERT Personne X: X nom 'bidule'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
130 |
cnx.execute('INSERT CWGroup X: X name "staff"') |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
131 |
cnx.commit() |
0 | 132 |
|
133 |
def test_insert_security(self): |
|
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
134 |
with self.new_access(u'anon').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
135 |
cnx.execute("INSERT Personne X: X nom 'bidule'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
136 |
self.assertRaises(Unauthorized, cnx.commit) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
137 |
self.assertEqual(cnx.execute('Personne X').rowcount, 1) |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
138 |
|
10153
85cbf16fbb57
[security] Test case and fix for an INSERT security hole
Julien Cristau <julien.cristau@logilab.fr>
parents:
9981
diff
changeset
|
139 |
def test_insert_security_2(self): |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
140 |
with self.new_access(u'anon').repo_cnx() as cnx: |
10158
efc8645ece43
[server/test] convert new test to 3.19 API
Julien Cristau <julien.cristau@logilab.fr>
parents:
10156
diff
changeset
|
141 |
cnx.execute("INSERT Affaire X") |
efc8645ece43
[server/test] convert new test to 3.19 API
Julien Cristau <julien.cristau@logilab.fr>
parents:
10156
diff
changeset
|
142 |
self.assertRaises(Unauthorized, cnx.commit) |
10153
85cbf16fbb57
[security] Test case and fix for an INSERT security hole
Julien Cristau <julien.cristau@logilab.fr>
parents:
9981
diff
changeset
|
143 |
# anon has no read permission on Affaire entities, so |
85cbf16fbb57
[security] Test case and fix for an INSERT security hole
Julien Cristau <julien.cristau@logilab.fr>
parents:
9981
diff
changeset
|
144 |
# rowcount == 0 |
10158
efc8645ece43
[server/test] convert new test to 3.19 API
Julien Cristau <julien.cristau@logilab.fr>
parents:
10156
diff
changeset
|
145 |
self.assertEqual(cnx.execute('Affaire X').rowcount, 0) |
10153
85cbf16fbb57
[security] Test case and fix for an INSERT security hole
Julien Cristau <julien.cristau@logilab.fr>
parents:
9981
diff
changeset
|
146 |
|
0 | 147 |
def test_insert_rql_permission(self): |
148 |
# test user can only add une affaire related to a societe he owns |
|
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
149 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
150 |
cnx.execute("INSERT Affaire X: X sujet 'cool'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
151 |
self.assertRaises(Unauthorized, cnx.commit) |
0 | 152 |
# test nothing has actually been inserted |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
153 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
154 |
self.assertEqual(cnx.execute('Affaire X').rowcount, 1) |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
155 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
156 |
cnx.execute("INSERT Affaire X: X sujet 'cool'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
157 |
cnx.execute("INSERT Societe X: X nom 'chouette'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
158 |
cnx.execute("SET A concerne S WHERE A sujet 'cool', S nom 'chouette'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
159 |
cnx.commit() |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
160 |
|
0 | 161 |
def test_update_security_1(self): |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
162 |
with self.new_access(u'anon').repo_cnx() as cnx: |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
163 |
# local security check |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
164 |
cnx.execute( "SET X nom 'bidulechouette' WHERE X is Personne") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
165 |
self.assertRaises(Unauthorized, cnx.commit) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
166 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
167 |
self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0) |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
168 |
|
0 | 169 |
def test_update_security_2(self): |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
170 |
with self.temporary_permissions(Personne={'read': ('users', 'managers'), |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
171 |
'add': ('guests', 'users', 'managers')}): |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
172 |
with self.new_access(u'anon').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
173 |
self.assertRaises(Unauthorized, cnx.execute, |
9777
b2e47617a94e
[tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9586
diff
changeset
|
174 |
"SET X nom 'bidulechouette' WHERE X is Personne") |
0 | 175 |
# test nothing has actually been inserted |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
176 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
177 |
self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0) |
0 | 178 |
|
179 |
def test_update_security_3(self): |
|
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
180 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
181 |
cnx.execute("INSERT Personne X: X nom 'biduuule'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
182 |
cnx.execute("INSERT Societe X: X nom 'looogilab'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
183 |
cnx.execute("SET X travaille S WHERE X nom 'biduuule', S nom 'looogilab'") |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
184 |
|
10114
6f4b4567b77d
[security] check attributes: dispatch on the "add" action if entity was just created
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9984
diff
changeset
|
185 |
def test_insert_immutable_attribute_update(self): |
6f4b4567b77d
[security] check attributes: dispatch on the "add" action if entity was just created
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9984
diff
changeset
|
186 |
with self.admin_access.repo_cnx() as cnx: |
6f4b4567b77d
[security] check attributes: dispatch on the "add" action if entity was just created
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9984
diff
changeset
|
187 |
cnx.create_entity('Old', name=u'Babar') |
6f4b4567b77d
[security] check attributes: dispatch on the "add" action if entity was just created
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9984
diff
changeset
|
188 |
cnx.commit() |
6f4b4567b77d
[security] check attributes: dispatch on the "add" action if entity was just created
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9984
diff
changeset
|
189 |
# this should be equivalent |
6f4b4567b77d
[security] check attributes: dispatch on the "add" action if entity was just created
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9984
diff
changeset
|
190 |
o = cnx.create_entity('Old') |
6f4b4567b77d
[security] check attributes: dispatch on the "add" action if entity was just created
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9984
diff
changeset
|
191 |
o.cw_set(name=u'Celeste') |
6f4b4567b77d
[security] check attributes: dispatch on the "add" action if entity was just created
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9984
diff
changeset
|
192 |
cnx.commit() |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
193 |
|
0 | 194 |
def test_update_rql_permission(self): |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
195 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
196 |
cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
197 |
cnx.commit() |
0 | 198 |
# test user can only update une affaire related to a societe he owns |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
199 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
200 |
cnx.execute("SET X sujet 'pascool' WHERE X is Affaire") |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
201 |
# this won't actually do anything since the selection query won't return anything |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
202 |
cnx.commit() |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
203 |
# to actually get Unauthorized exception, try to update an entity we can read |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
204 |
cnx.execute("SET X nom 'toto' WHERE X is Societe") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
205 |
self.assertRaises(Unauthorized, cnx.commit) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
206 |
cnx.execute("INSERT Affaire X: X sujet 'pascool'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
207 |
cnx.execute("INSERT Societe X: X nom 'chouette'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
208 |
cnx.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
209 |
cnx.execute("SET X sujet 'habahsicestcool' WHERE X sujet 'pascool'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
210 |
cnx.commit() |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
211 |
|
0 | 212 |
def test_delete_security(self): |
213 |
# FIXME: sample below fails because we don't detect "owner" can't delete |
|
214 |
# user anyway, and since no user with login == 'bidule' exists, no |
|
215 |
# exception is raised |
|
216 |
#user._groups = {'guests':1} |
|
217 |
#self.assertRaises(Unauthorized, |
|
1398
5fe84a5f7035
rename internal entity types to have CW prefix instead of E
sylvain.thenault@logilab.fr
parents:
389
diff
changeset
|
218 |
# self.o.execute, user, "DELETE CWUser X WHERE X login 'bidule'") |
0 | 219 |
# check local security |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
220 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
221 |
self.assertRaises(Unauthorized, cnx.execute, "DELETE CWGroup Y WHERE Y name 'staff'") |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
222 |
|
0 | 223 |
def test_delete_rql_permission(self): |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
224 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
225 |
cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
226 |
cnx.commit() |
0 | 227 |
# test user can only dele une affaire related to a societe he owns |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
228 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
229 |
# this won't actually do anything since the selection query won't return anything |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
230 |
cnx.execute("DELETE Affaire X") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
231 |
cnx.commit() |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
232 |
# to actually get Unauthorized exception, try to delete an entity we can read |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
233 |
self.assertRaises(Unauthorized, cnx.execute, "DELETE Societe S") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
234 |
self.assertRaises(QueryError, cnx.commit) # can't commit anymore |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
235 |
cnx.rollback() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
236 |
cnx.execute("INSERT Affaire X: X sujet 'pascool'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
237 |
cnx.execute("INSERT Societe X: X nom 'chouette'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
238 |
cnx.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
239 |
cnx.commit() |
0 | 240 |
## # this one should fail since it will try to delete two affaires, one authorized |
241 |
## # and the other not |
|
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
242 |
## self.assertRaises(Unauthorized, cnx.execute, "DELETE Affaire X") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
243 |
cnx.execute("DELETE Affaire X WHERE X sujet 'pascool'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
244 |
cnx.commit() |
0 | 245 |
|
246 |
def test_insert_relation_rql_permission(self): |
|
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
247 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
248 |
cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe") |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
249 |
# should raise Unauthorized since user don't own S though this won't |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
250 |
# actually do anything since the selection query won't return |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
251 |
# anything |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
252 |
cnx.commit() |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
253 |
# to actually get Unauthorized exception, try to insert a relation |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
254 |
# were we can read both entities |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
255 |
rset = cnx.execute('Personne P') |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
256 |
self.assertEqual(len(rset), 1) |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
257 |
ent = rset.get_entity(0, 0) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
258 |
self.assertFalse(cnx.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe')) |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
259 |
self.assertRaises(Unauthorized, ent.cw_check_perm, 'update') |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
260 |
self.assertRaises(Unauthorized, |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
261 |
cnx.execute, "SET P travaille S WHERE P is Personne, S is Societe") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
262 |
self.assertRaises(QueryError, cnx.commit) # can't commit anymore |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
263 |
cnx.rollback() |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
264 |
# test nothing has actually been inserted: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
265 |
self.assertFalse(cnx.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe')) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
266 |
cnx.execute("INSERT Societe X: X nom 'chouette'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
267 |
cnx.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
268 |
cnx.commit() |
0 | 269 |
|
270 |
def test_delete_relation_rql_permission(self): |
|
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
271 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
272 |
cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
273 |
cnx.commit() |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
274 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
275 |
# this won't actually do anything since the selection query won't return anything |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
276 |
cnx.execute("DELETE A concerne S") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
277 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
278 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
279 |
# to actually get Unauthorized exception, try to delete a relation we can read |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
280 |
eid = cnx.execute("INSERT Affaire X: X sujet 'pascool'")[0][0] |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
281 |
cnx.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"', |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
282 |
{'x': eid}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
283 |
cnx.execute("SET A concerne S WHERE A sujet 'pascool', S is Societe") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
284 |
cnx.commit() |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
285 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
286 |
self.assertRaises(Unauthorized, cnx.execute, "DELETE A concerne S") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
287 |
self.assertRaises(QueryError, cnx.commit) # can't commit anymore |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
288 |
cnx.rollback() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
289 |
cnx.execute("INSERT Societe X: X nom 'chouette'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
290 |
cnx.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
291 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
292 |
cnx.execute("DELETE A concerne S WHERE S nom 'chouette'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
293 |
cnx.commit() |
0 | 294 |
|
295 |
||
296 |
def test_user_can_change_its_upassword(self): |
|
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
297 |
with self.admin_access.repo_cnx() as cnx: |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
298 |
ueid = self.create_user(cnx, u'user').eid |
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
299 |
with self.new_access(u'user').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
300 |
cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s', |
10769
c45f4bcff3aa
[server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents:
10609
diff
changeset
|
301 |
{'x': ueid, 'passwd': b'newpwd'}) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
302 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
303 |
self.repo.close(self.repo.connect('user', password='newpwd')) |
0 | 304 |
|
305 |
def test_user_cant_change_other_upassword(self): |
|
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
306 |
with self.admin_access.repo_cnx() as cnx: |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
307 |
ueid = self.create_user(cnx, u'otheruser').eid |
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
308 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
309 |
cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s', |
10769
c45f4bcff3aa
[server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents:
10609
diff
changeset
|
310 |
{'x': ueid, 'passwd': b'newpwd'}) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
311 |
self.assertRaises(Unauthorized, cnx.commit) |
0 | 312 |
|
313 |
# read security test |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
314 |
|
0 | 315 |
def test_read_base(self): |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
316 |
with self.temporary_permissions(Personne={'read': ('users', 'managers')}): |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
317 |
with self.new_access(u'anon').repo_cnx() as cnx: |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
318 |
self.assertRaises(Unauthorized, |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
319 |
cnx.execute, 'Personne U where U nom "managers"') |
0 | 320 |
|
321
247947250382
fix security bug w/ query using 'NOT X eid 123'
Sylvain Thenault <sylvain.thenault@logilab.fr>
parents:
0
diff
changeset
|
321 |
def test_read_erqlexpr_base(self): |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
322 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
323 |
eid = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0] |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
324 |
cnx.commit() |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
325 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
326 |
rset = cnx.execute('Affaire X') |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
327 |
self.assertEqual(rset.rows, []) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
328 |
self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid}) |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
329 |
# cache test |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
330 |
self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
331 |
aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0] |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
332 |
soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0] |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
333 |
cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
334 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
335 |
rset = cnx.execute('Any X WHERE X eid %(x)s', {'x': aff2}) |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
336 |
self.assertEqual(rset.rows, [[aff2]]) |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
337 |
# more cache test w/ NOT eid |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
338 |
rset = cnx.execute('Affaire X WHERE NOT X eid %(x)s', {'x': eid}) |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
339 |
self.assertEqual(rset.rows, [[aff2]]) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
340 |
rset = cnx.execute('Affaire X WHERE NOT X eid %(x)s', {'x': aff2}) |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
341 |
self.assertEqual(rset.rows, []) |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
342 |
# test can't update an attribute of an entity that can't be readen |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
343 |
self.assertRaises(Unauthorized, cnx.execute, |
9777
b2e47617a94e
[tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9586
diff
changeset
|
344 |
'SET X sujet "hacked" WHERE X eid %(x)s', {'x': eid}) |
4765 | 345 |
|
346 |
||
347 |
def test_entity_created_in_transaction(self): |
|
348 |
affschema = self.schema['Affaire'] |
|
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
349 |
with self.temporary_permissions(Affaire={'read': affschema.permissions['add']}): |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
350 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
351 |
aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0] |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
352 |
# entity created in transaction are readable *by eid* |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
353 |
self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':aff2})) |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
354 |
# XXX would be nice if it worked |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
355 |
rset = cnx.execute("Affaire X WHERE X sujet 'cool'") |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
356 |
self.assertEqual(len(rset), 0) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
357 |
self.assertRaises(Unauthorized, cnx.commit) |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
358 |
|
0 | 359 |
def test_read_erqlexpr_has_text1(self): |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
360 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
361 |
aff1 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0] |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
362 |
card1 = cnx.execute("INSERT Card X: X title 'cool'")[0][0] |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
363 |
cnx.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"', |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
364 |
{'x': card1}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
365 |
cnx.commit() |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
366 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
367 |
aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0] |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
368 |
soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0] |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
369 |
cnx.execute("SET A concerne S WHERE A eid %(a)s, S eid %(s)s", {'a': aff2, 's': soc1}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
370 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
371 |
self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x':aff1}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
372 |
self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':aff2})) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
373 |
self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':card1})) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
374 |
rset = cnx.execute("Any X WHERE X has_text 'cool'") |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
375 |
self.assertEqual(sorted(eid for eid, in rset.rows), |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
376 |
[card1, aff2]) |
0 | 377 |
|
378 |
def test_read_erqlexpr_has_text2(self): |
|
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
379 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
380 |
cnx.execute("INSERT Personne X: X nom 'bidule'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
381 |
cnx.execute("INSERT Societe X: X nom 'bidule'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
382 |
cnx.commit() |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
383 |
with self.temporary_permissions(Personne={'read': ('managers',)}): |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
384 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
385 |
rset = cnx.execute('Any N WHERE N has_text "bidule"') |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
386 |
self.assertEqual(len(rset.rows), 1, rset.rows) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
387 |
rset = cnx.execute('Any N WITH N BEING (Any N WHERE N has_text "bidule")') |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
388 |
self.assertEqual(len(rset.rows), 1, rset.rows) |
0 | 389 |
|
390 |
def test_read_erqlexpr_optional_rel(self): |
|
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
391 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
392 |
cnx.execute("INSERT Personne X: X nom 'bidule'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
393 |
cnx.execute("INSERT Societe X: X nom 'bidule'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
394 |
cnx.commit() |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
395 |
with self.temporary_permissions(Personne={'read': ('managers',)}): |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
396 |
with self.new_access(u'anon').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
397 |
rset = cnx.execute('Any N,U WHERE N has_text "bidule", N owned_by U?') |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
398 |
self.assertEqual(len(rset.rows), 1, rset.rows) |
0 | 399 |
|
400 |
def test_read_erqlexpr_aggregat(self): |
|
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
401 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
402 |
cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0] |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
403 |
cnx.commit() |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
404 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
405 |
rset = cnx.execute('Any COUNT(X) WHERE X is Affaire') |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
406 |
self.assertEqual(rset.rows, [[0]]) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
407 |
aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0] |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
408 |
soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0] |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
409 |
cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
410 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
411 |
rset = cnx.execute('Any COUNT(X) WHERE X is Affaire') |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
412 |
self.assertEqual(rset.rows, [[1]]) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
413 |
rset = cnx.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN') |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
414 |
values = dict(rset) |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
415 |
self.assertEqual(values['Affaire'], 1) |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
416 |
self.assertEqual(values['Societe'], 2) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
417 |
rset = cnx.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN ' |
9777
b2e47617a94e
[tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9586
diff
changeset
|
418 |
'WITH X BEING ((Affaire X) UNION (Societe X))') |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
419 |
self.assertEqual(len(rset), 2) |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
420 |
values = dict(rset) |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
421 |
self.assertEqual(values['Affaire'], 1) |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
422 |
self.assertEqual(values['Societe'], 2) |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
423 |
|
0 | 424 |
|
425 |
def test_attribute_security(self): |
|
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
426 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
427 |
# only managers should be able to edit the 'test' attribute of Personne entities |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
428 |
eid = cnx.execute("INSERT Personne X: X nom 'bidule', " |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
429 |
"X web 'http://www.debian.org', X test TRUE")[0][0] |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
430 |
cnx.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
431 |
cnx.commit() |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
432 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
433 |
cnx.execute("INSERT Personne X: X nom 'bidule', " |
9777
b2e47617a94e
[tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9586
diff
changeset
|
434 |
"X web 'http://www.debian.org', X test TRUE") |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
435 |
self.assertRaises(Unauthorized, cnx.commit) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
436 |
cnx.execute("INSERT Personne X: X nom 'bidule', " |
9777
b2e47617a94e
[tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9586
diff
changeset
|
437 |
"X web 'http://www.debian.org', X test FALSE") |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
438 |
self.assertRaises(Unauthorized, cnx.commit) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
439 |
eid = cnx.execute("INSERT Personne X: X nom 'bidule', " |
9777
b2e47617a94e
[tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9586
diff
changeset
|
440 |
"X web 'http://www.debian.org'")[0][0] |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
441 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
442 |
cnx.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
443 |
self.assertRaises(Unauthorized, cnx.commit) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
444 |
cnx.execute('SET X test TRUE WHERE X eid %(x)s', {'x': eid}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
445 |
self.assertRaises(Unauthorized, cnx.commit) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
446 |
cnx.execute('SET X web "http://www.logilab.org" WHERE X eid %(x)s', {'x': eid}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
447 |
cnx.commit() |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
448 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9984 | 449 |
cnx.execute('INSERT Frozable F: F name "Foo"') |
450 |
cnx.commit() |
|
451 |
cnx.execute('SET F name "Bar" WHERE F is Frozable') |
|
452 |
cnx.commit() |
|
453 |
cnx.execute('SET F name "BaBar" WHERE F is Frozable') |
|
454 |
cnx.execute('SET F frozen True WHERE F is Frozable') |
|
9981
7099bbd685aa
[hooks/security] allow edition of attributes with permissive permissions
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9586
diff
changeset
|
455 |
with self.assertRaises(Unauthorized): |
9984 | 456 |
cnx.commit() |
457 |
cnx.rollback() |
|
458 |
cnx.execute('SET F frozen True WHERE F is Frozable') |
|
459 |
cnx.commit() |
|
460 |
cnx.execute('SET F name "Bar" WHERE F is Frozable') |
|
9981
7099bbd685aa
[hooks/security] allow edition of attributes with permissive permissions
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9586
diff
changeset
|
461 |
with self.assertRaises(Unauthorized): |
9984 | 462 |
cnx.commit() |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
463 |
|
0 | 464 |
def test_attribute_security_rqlexpr(self): |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
465 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
466 |
# Note.para attribute editable by managers or if the note is in "todo" state |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
467 |
note = cnx.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
468 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
469 |
note.cw_adapt_to('IWorkflowable').fire_transition('markasdone') |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
470 |
cnx.execute('SET X para "truc" WHERE X eid %(x)s', {'x': note.eid}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
471 |
cnx.commit() |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
472 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
473 |
cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note.eid}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
474 |
self.assertRaises(Unauthorized, cnx.commit) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
475 |
note2 = cnx.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
476 |
cnx.commit() |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
477 |
note2.cw_adapt_to('IWorkflowable').fire_transition('markasdone') |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
478 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
479 |
self.assertEqual(len(cnx.execute('Any X WHERE X in_state S, S name "todo", X eid %(x)s', |
9777
b2e47617a94e
[tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9586
diff
changeset
|
480 |
{'x': note2.eid})), |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
481 |
0) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
482 |
cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
483 |
self.assertRaises(Unauthorized, cnx.commit) |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
484 |
note2.cw_adapt_to('IWorkflowable').fire_transition('redoit') |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
485 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
486 |
cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
487 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
488 |
cnx.execute("INSERT Note X: X something 'A'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
489 |
self.assertRaises(Unauthorized, cnx.commit) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
490 |
cnx.execute("INSERT Note X: X para 'zogzog', X something 'A'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
491 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
492 |
note = cnx.execute("INSERT Note X").get_entity(0,0) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
493 |
cnx.commit() |
9395
96dba2efd16d
[hooks/security] provide attribute "add" permission
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
8694
diff
changeset
|
494 |
note.cw_set(something=u'B') |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
495 |
cnx.commit() |
9395
96dba2efd16d
[hooks/security] provide attribute "add" permission
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
8694
diff
changeset
|
496 |
note.cw_set(something=None, para=u'zogzog') |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
497 |
cnx.commit() |
0 | 498 |
|
499 |
def test_attribute_read_security(self): |
|
500 |
# anon not allowed to see users'login, but they can see users |
|
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
501 |
login_rdef = self.repo.schema['CWUser'].rdef('login') |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
502 |
with self.temporary_permissions((login_rdef, {'read': ('users', 'managers')}), |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
503 |
CWUser={'read': ('guests', 'users', 'managers')}): |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
504 |
with self.new_access(u'anon').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
505 |
rset = cnx.execute('CWUser X') |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
506 |
self.assertTrue(rset) |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
507 |
x = rset.get_entity(0, 0) |
10463
9add9b7f9df7
[server/test] fix random error in unittest_security
Julien Cristau <julien.cristau@logilab.fr>
parents:
10249
diff
changeset
|
508 |
x.complete() |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
509 |
self.assertEqual(x.login, None) |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
510 |
self.assertTrue(x.creation_date) |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
511 |
x = rset.get_entity(1, 0) |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
512 |
x.complete() |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
513 |
self.assertEqual(x.login, None) |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
514 |
self.assertTrue(x.creation_date) |
0 | 515 |
|
8452
1ad42383a9ec
[rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156)
Florent Cayré <florent.cayre@logilab.fr>
parents:
8075
diff
changeset
|
516 |
def test_yams_inheritance_and_security_bug(self): |
9777
b2e47617a94e
[tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9586
diff
changeset
|
517 |
with self.temporary_permissions(Division={'read': ('managers', |
b2e47617a94e
[tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9586
diff
changeset
|
518 |
ERQLExpression('X owned_by U'))}): |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
519 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
520 |
querier = cnx.repo.querier |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
521 |
rqlst = querier.parse('Any X WHERE X is_instance_of Societe') |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
522 |
querier.solutions(cnx, rqlst, {}) |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
523 |
querier._annotate(rqlst) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
524 |
plan = querier.plan_factory(rqlst, {}, cnx) |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
525 |
plan.preprocess(rqlst) |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
526 |
self.assertEqual( |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
527 |
rqlst.as_string(), |
10249
e38b8d37c5d8
[rqlrewrite] sort possible types when turning is_instance_of into is
Julien Cristau <julien.cristau@logilab.fr>
parents:
10248
diff
changeset
|
528 |
'(Any X WHERE X is IN(Societe, SubDivision)) UNION ' |
9777
b2e47617a94e
[tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9586
diff
changeset
|
529 |
'(Any X WHERE X is Division, EXISTS(X owned_by %(B)s))') |
8452
1ad42383a9ec
[rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156)
Florent Cayré <florent.cayre@logilab.fr>
parents:
8075
diff
changeset
|
530 |
|
1ad42383a9ec
[rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156)
Florent Cayré <florent.cayre@logilab.fr>
parents:
8075
diff
changeset
|
531 |
|
0 | 532 |
class BaseSchemaSecurityTC(BaseSecurityTC): |
533 |
"""tests related to the base schema permission configuration""" |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
534 |
|
0 | 535 |
def test_user_can_delete_object_he_created(self): |
536 |
# even if some other user have changed object'state |
|
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
537 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
538 |
# due to security test, affaire has to concerne a societe the user owns |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
539 |
cnx.execute('INSERT Societe X: X nom "ARCTIA"') |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
540 |
cnx.execute('INSERT Affaire X: X ref "ARCT01", X concerne S WHERE S nom "ARCTIA"') |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
541 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
542 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
543 |
affaire = cnx.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
544 |
affaire.cw_adapt_to('IWorkflowable').fire_transition('abort') |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
545 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
546 |
self.assertEqual(len(cnx.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01"')), |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
547 |
1) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
548 |
self.assertEqual(len(cnx.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01",' |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
549 |
'X owned_by U, U login "admin"')), |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
550 |
1) # TrInfo at the above state change |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
551 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
552 |
cnx.execute('DELETE Affaire X WHERE X ref "ARCT01"') |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
553 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
554 |
self.assertFalse(cnx.execute('Affaire X')) |
0 | 555 |
|
556 |
def test_users_and_groups_non_readable_by_guests(self): |
|
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
557 |
with self.repo.internal_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
558 |
admineid = cnx.execute('CWUser U WHERE U login "admin"').rows[0][0] |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
559 |
with self.new_access(u'anon').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
560 |
anon = cnx.user |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
561 |
# anonymous user can only read itself |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
562 |
rset = cnx.execute('Any L WHERE X owned_by U, U login L') |
8624
7e415f457155
[test] swap order in assert of `test_users_and_groups_non_readable_by_guests`
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
8546
diff
changeset
|
563 |
self.assertEqual([['anon']], rset.rows) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
564 |
rset = cnx.execute('CWUser X') |
8624
7e415f457155
[test] swap order in assert of `test_users_and_groups_non_readable_by_guests`
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
8546
diff
changeset
|
565 |
self.assertEqual([[anon.eid]], rset.rows) |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
566 |
# anonymous user can read groups (necessary to check allowed transitions for instance) |
10600
180aa08cad48
[tests] Replace use of deprecated TestCase.assert_
Rémi Cardona <remi.cardona@logilab.fr>
parents:
10463
diff
changeset
|
567 |
self.assertTrue(cnx.execute('CWGroup X')) |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
568 |
# should only be able to read the anonymous user, not another one |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
569 |
self.assertRaises(Unauthorized, |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
570 |
cnx.execute, 'CWUser X WHERE X eid %(x)s', {'x': admineid}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
571 |
rset = cnx.execute('CWUser X WHERE X eid %(x)s', {'x': anon.eid}) |
8624
7e415f457155
[test] swap order in assert of `test_users_and_groups_non_readable_by_guests`
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
8546
diff
changeset
|
572 |
self.assertEqual([[anon.eid]], rset.rows) |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
573 |
# but can't modify it |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
574 |
cnx.execute('SET X login "toto" WHERE X eid %(x)s', {'x': anon.eid}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
575 |
self.assertRaises(Unauthorized, cnx.commit) |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
576 |
|
0 | 577 |
def test_in_group_relation(self): |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
578 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
579 |
rql = u"DELETE U in_group G WHERE U login 'admin'" |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
580 |
self.assertRaises(Unauthorized, cnx.execute, rql) |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
581 |
rql = u"SET U in_group G WHERE U login 'admin', G name 'users'" |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
582 |
self.assertRaises(Unauthorized, cnx.execute, rql) |
0 | 583 |
|
584 |
def test_owned_by(self): |
|
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
585 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
586 |
cnx.execute("INSERT Personne X: X nom 'bidule'") |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
587 |
cnx.commit() |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
588 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
589 |
rql = u"SET X owned_by U WHERE U login 'iaminusersgrouponly', X is Personne" |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
590 |
self.assertRaises(Unauthorized, cnx.execute, rql) |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
591 |
|
0 | 592 |
def test_bookmarked_by_guests_security(self): |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
593 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
594 |
beid1 = cnx.execute('INSERT Bookmark B: B path "?vid=manage", B title "manage"')[0][0] |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
595 |
beid2 = cnx.execute('INSERT Bookmark B: B path "?vid=index", B title "index", ' |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
596 |
'B bookmarked_by U WHERE U login "anon"')[0][0] |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
597 |
cnx.commit() |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
598 |
with self.new_access(u'anon').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
599 |
anoneid = cnx.user.eid |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
600 |
self.assertEqual(cnx.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,' |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
601 |
'B bookmarked_by U, U eid %s' % anoneid).rows, |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
602 |
[['index', '?vid=index']]) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
603 |
self.assertEqual(cnx.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,' |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
604 |
'B bookmarked_by U, U eid %(x)s', {'x': anoneid}).rows, |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
605 |
[['index', '?vid=index']]) |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
606 |
# can read others bookmarks as well |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
607 |
self.assertEqual(cnx.execute('Any B where B is Bookmark, NOT B bookmarked_by U').rows, |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
608 |
[[beid1]]) |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
609 |
self.assertRaises(Unauthorized, cnx.execute,'DELETE B bookmarked_by U') |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
610 |
self.assertRaises(Unauthorized, |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
611 |
cnx.execute, 'SET B bookmarked_by U WHERE U eid %(x)s, B eid %(b)s', |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
612 |
{'x': anoneid, 'b': beid1}) |
0 | 613 |
|
614 |
def test_ambigous_ordered(self): |
|
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
615 |
with self.new_access(u'anon').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
616 |
names = [t for t, in cnx.execute('Any N ORDERBY lower(N) WHERE X name N')] |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
617 |
self.assertEqual(names, sorted(names, key=lambda x: x.lower())) |
0 | 618 |
|
619 |
def test_in_state_without_update_perm(self): |
|
620 |
"""check a user change in_state without having update permission on the |
|
621 |
subject |
|
622 |
""" |
|
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
623 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
624 |
eid = cnx.execute('INSERT Affaire X: X ref "ARCT01"')[0][0] |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
625 |
cnx.commit() |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
626 |
with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
627 |
# needed to remove rql expr granting update perm to the user |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
628 |
affschema = self.schema['Affaire'] |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
629 |
with self.temporary_permissions(Affaire={'update': affschema.get_groups('update'), |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
630 |
'read': ('users',)}): |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
631 |
self.assertRaises(Unauthorized, |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
632 |
affschema.check_perm, cnx, 'update', eid=eid) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
633 |
aff = cnx.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0) |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
634 |
aff.cw_adapt_to('IWorkflowable').fire_transition('abort') |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
635 |
cnx.commit() |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
636 |
# though changing a user state (even logged user) is reserved to managers |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
637 |
user = cnx.user |
8461
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
638 |
# XXX wether it should raise Unauthorized or ValidationError is not clear |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
639 |
# the best would probably ValidationError if the transition doesn't exist |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
640 |
# from the current state but Unauthorized if it exists but user can't pass it |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
641 |
self.assertRaises(ValidationError, |
8af7c6d86efb
[test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8452
diff
changeset
|
642 |
user.cw_adapt_to('IWorkflowable').fire_transition, 'deactivate') |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
643 |
|
2501
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2500
diff
changeset
|
644 |
def test_trinfo_security(self): |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
645 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
646 |
aff = cnx.execute('INSERT Affaire X: X ref "ARCT01"').get_entity(0, 0) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
647 |
iworkflowable = aff.cw_adapt_to('IWorkflowable') |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
648 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
649 |
iworkflowable.fire_transition('abort') |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
650 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
651 |
# can change tr info comment |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
652 |
cnx.execute('SET TI comment %(c)s WHERE TI wf_info_for X, X ref "ARCT01"', |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
653 |
{'c': u'bouh!'}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
654 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
655 |
aff.cw_clear_relation_cache('wf_info_for', 'object') |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
656 |
trinfo = iworkflowable.latest_trinfo() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
657 |
self.assertEqual(trinfo.comment, 'bouh!') |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
658 |
# but not from_state/to_state |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
659 |
aff.cw_clear_relation_cache('wf_info_for', role='object') |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
660 |
self.assertRaises(Unauthorized, cnx.execute, |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
661 |
'SET TI from_state S WHERE TI eid %(ti)s, S name "ben non"', |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
662 |
{'ti': trinfo.eid}) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
663 |
self.assertRaises(Unauthorized, cnx.execute, |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
664 |
'SET TI to_state S WHERE TI eid %(ti)s, S name "pitetre"', |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
665 |
{'ti': trinfo.eid}) |
2501
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2500
diff
changeset
|
666 |
|
8161
6f4229eb8178
[test] fix test broken by 8158:2ee254e74382 and add a test for that change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8075
diff
changeset
|
667 |
def test_emailaddress_security(self): |
8649
8fbb2f65721e
[test] precheck initial condition
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
8546
diff
changeset
|
668 |
# check for prexisting email adresse |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
669 |
with self.admin_access.repo_cnx() as cnx: |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
670 |
if cnx.execute('Any X WHERE X is EmailAddress'): |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
671 |
rset = cnx.execute('Any X, U WHERE X is EmailAddress, U use_email X') |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
672 |
msg = ['Preexisting email readable by anon found!'] |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
673 |
tmpl = ' - "%s" used by user "%s"' |
10609
e2d8e81bfe68
[py3k] import range using six.moves
Rémi Cardona <remi.cardona@logilab.fr>
parents:
10600
diff
changeset
|
674 |
for i in range(len(rset)): |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
675 |
email, user = rset.get_entity(i, 0), rset.get_entity(i, 1) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
676 |
msg.append(tmpl % (email.dc_title(), user.dc_title())) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
677 |
raise RuntimeError('\n'.join(msg)) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
678 |
# actual test |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
679 |
cnx.execute('INSERT EmailAddress X: X address "hop"').get_entity(0, 0) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
680 |
cnx.execute('INSERT EmailAddress X: X address "anon", ' |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
681 |
'U use_email X WHERE U login "anon"').get_entity(0, 0) |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
682 |
cnx.commit() |
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
683 |
self.assertEqual(len(cnx.execute('Any X WHERE X is EmailAddress')), 2) |
10248
131275d6c268
[server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents:
10161
diff
changeset
|
684 |
with self.new_access(u'anon').repo_cnx() as cnx: |
9782
95e8fa2c8da8
[tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
9777
diff
changeset
|
685 |
self.assertEqual(len(cnx.execute('Any X WHERE X is EmailAddress')), 1) |
8161
6f4229eb8178
[test] fix test broken by 8158:2ee254e74382 and add a test for that change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
8075
diff
changeset
|
686 |
|
0 | 687 |
if __name__ == '__main__': |
688 |
unittest_main() |