cubicweb: cubicweb/server/test/unittest_security.py@3b4d41566de3 (annotated)

11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	1	# copyright 2003-2016 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
5421 8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	2	# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	3	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	4	# This file is part of CubicWeb.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	5	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	6	# CubicWeb is free software: you can redistribute it and/or modify it under the
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	7	# terms of the GNU Lesser General Public License as published by the Free
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	8	# Software Foundation, either version 2.1 of the License, or (at your option)
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	9	# any later version.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	10	#
5424 8ecbcbff9777 replace logilab-common by CubicWeb in disclaimer Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5421 diff changeset	11	# CubicWeb is distributed in the hope that it will be useful, but WITHOUT
5421 8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	12	# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	13	# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	14	# details.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	15	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	16	# You should have received a copy of the GNU Lesser General Public License along
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	17	# with CubicWeb. If not, see <http://www.gnu.org/licenses/>.
5886 00a78298d30d cleanups Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	18	"""functional tests for server'security"""
00a78298d30d cleanups Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	19
10609 e2d8e81bfe68 [py3k] import range using six.moves Rémi Cardona <remi.cardona@logilab.fr> parents: 10600 diff changeset	20	from six.moves import range
e2d8e81bfe68 [py3k] import range using six.moves Rémi Cardona <remi.cardona@logilab.fr> parents: 10600 diff changeset	21
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	22	from logilab.common.testlib import unittest_main
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	23
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	24	from cubicweb.devtools.testlib import CubicWebTC
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	25	from cubicweb import Unauthorized, ValidationError, QueryError, Binary
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	26	from cubicweb.schema import ERQLExpression
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	27	from cubicweb.server.querier import get_local_checks, check_relations_read_access
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	28	from cubicweb.server.utils import _CRYPTO_CTX
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	29
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	30
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	31	class BaseSecurityTC(CubicWebTC):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	32
7072 bcf96f2a4c5d [test] properly close connections Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6410 diff changeset	33	def setup_database(self):
bcf96f2a4c5d [test] properly close connections Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6410 diff changeset	34	super(BaseSecurityTC, self).setup_database()
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	35	with self.admin_access.client_cnx() as cnx:
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	36	self.create_user(cnx, u'iaminusersgrouponly')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	37	hash = _CRYPTO_CTX.encrypt('oldpassword', scheme='des_crypt')
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	38	self.create_user(cnx, u'oldpassword', password=Binary(hash.encode('ascii')))
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	39
11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	40
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	41	class LowLevelSecurityFunctionTC(BaseSecurityTC):
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	42
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	43	def test_check_relation_read_access(self):
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	44	rql = u'Personne U WHERE U nom "managers"'
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	45	rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	46	nom = self.repo.schema['Personne'].rdef('nom')
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	47	with self.temporary_permissions((nom, {'read': ('users', 'managers')})):
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	48	with self.admin_access.repo_cnx() as cnx:
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	49	self.repo.vreg.solutions(cnx, rqlst, None)
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	50	check_relations_read_access(cnx, rqlst, {})
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	51	with self.new_access(u'anon').repo_cnx() as cnx:
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	52	self.assertRaises(Unauthorized,
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	53	check_relations_read_access,
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	54	cnx, rqlst, {})
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	55	self.assertRaises(Unauthorized, cnx.execute, rql)
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	56
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	57	def test_get_local_checks(self):
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	58	rql = u'Personne U WHERE U nom "managers"'
3252 c0e10da6f1cf tests update Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 diff changeset	59	rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	60	with self.temporary_permissions(Personne={'read': ('users', 'managers')}):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	61	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	62	self.repo.vreg.solutions(cnx, rqlst, None)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	63	solution = rqlst.solutions[0]
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	64	localchecks = get_local_checks(cnx, rqlst, solution)
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	65	self.assertEqual({}, localchecks)
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	66	with self.new_access(u'anon').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	67	self.assertRaises(Unauthorized,
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	68	get_local_checks,
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	69	cnx, rqlst, solution)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	70	self.assertRaises(Unauthorized, cnx.execute, rql)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	71
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	72	def test_upassword_not_selectable(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	73	with self.admin_access.repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	74	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	75	cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P')
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	76	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	77	self.assertRaises(Unauthorized,
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	78	cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P')
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	79
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	80	def test_update_password(self):
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	81	"""Ensure that if a user's password is stored with a deprecated hash,
b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	82	it will be updated on next login
b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	83	"""
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	84	with self.repo.internal_cnx() as cnx:
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	85	oldhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser "
11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	86	"WHERE cw_login = 'oldpassword'").fetchone()[0]
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	87	oldhash = self.repo.system_source.binary_to_str(oldhash)
11195 5de859b95988 [session, repository] deprecate repo.connect and move .close reponsibility to session object Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 11057 diff changeset	88	session = self.repo.new_session('oldpassword', password='oldpassword')
5de859b95988 [session, repository] deprecate repo.connect and move .close reponsibility to session object Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 11057 diff changeset	89	session.close()
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	90	newhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser "
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	91	"WHERE cw_login = 'oldpassword'").fetchone()[0]
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	92	newhash = self.repo.system_source.binary_to_str(newhash)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	93	self.assertNotEqual(oldhash, newhash)
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	94	self.assertTrue(newhash.startswith(b'$6$'))
11195 5de859b95988 [session, repository] deprecate repo.connect and move .close reponsibility to session object Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 11057 diff changeset	95	session = self.repo.new_session('oldpassword', password='oldpassword')
5de859b95988 [session, repository] deprecate repo.connect and move .close reponsibility to session object Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 11057 diff changeset	96	session.close()
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	97	newnewhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser WHERE "
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	98	"cw_login = 'oldpassword'").fetchone()[0]
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	99	newnewhash = self.repo.system_source.binary_to_str(newnewhash)
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	100	self.assertEqual(newhash, newnewhash)
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	101
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	102
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	103	class SecurityRewritingTC(BaseSecurityTC):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	104	def hijack_source_execute(self):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	105	def syntax_tree_search(args, *kwargs):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	106	self.query = (args, kwargs)
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	107	return []
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	108	self.repo.system_source.syntax_tree_search = syntax_tree_search
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	109
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	110	def tearDown(self):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	111	self.repo.system_source.__dict__.pop('syntax_tree_search', None)
7072 bcf96f2a4c5d [test] properly close connections Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6410 diff changeset	112	super(SecurityRewritingTC, self).tearDown()
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	113
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	114	def test_not_relation_read_security(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	115	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	116	self.hijack_source_execute()
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	117	cnx.execute('Any U WHERE NOT A todo_by U, A is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	118	self.assertEqual(self.query[0][1].as_string(),
11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	119	'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	120	cnx.execute('Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	121	self.assertEqual(self.query[0][1].as_string(),
11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	122	'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	123
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	124
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	125	class SecurityTC(BaseSecurityTC):
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	126
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	127	def setUp(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	128	super(SecurityTC, self).setUp()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	129	# implicitly test manager can add some entities
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	130	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	131	cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	132	cnx.execute("INSERT Societe X: X nom 'logilab'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	133	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	134	cnx.execute('INSERT CWGroup X: X name "staff"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	135	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	136
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	137	def test_insert_security(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	138	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	139	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	140	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	141	self.assertEqual(cnx.execute('Personne X').rowcount, 1)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	142
10153 85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	143	def test_insert_security_2(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	144	with self.new_access(u'anon').repo_cnx() as cnx:
10158 efc8645ece43 [server/test] convert new test to 3.19 API Julien Cristau <julien.cristau@logilab.fr> parents: 10156 diff changeset	145	cnx.execute("INSERT Affaire X")
efc8645ece43 [server/test] convert new test to 3.19 API Julien Cristau <julien.cristau@logilab.fr> parents: 10156 diff changeset	146	self.assertRaises(Unauthorized, cnx.commit)
10153 85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	147	# anon has no read permission on Affaire entities, so
85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	148	# rowcount == 0
10158 efc8645ece43 [server/test] convert new test to 3.19 API Julien Cristau <julien.cristau@logilab.fr> parents: 10156 diff changeset	149	self.assertEqual(cnx.execute('Affaire X').rowcount, 0)
10153 85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	150
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	151	def test_insert_rql_permission(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	152	# test user can only add une affaire related to a societe he owns
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	153	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	154	cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	155	self.assertRaises(Unauthorized, cnx.commit)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	156	# test nothing has actually been inserted
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	157	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	158	self.assertEqual(cnx.execute('Affaire X').rowcount, 1)
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	159	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	160	cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	161	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	162	cnx.execute("SET A concerne S WHERE A sujet 'cool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	163	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	164
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	165	def test_update_security_1(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	166	with self.new_access(u'anon').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	167	# local security check
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	168	cnx.execute( "SET X nom 'bidulechouette' WHERE X is Personne")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	169	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	170	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	171	self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	172
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	173	def test_update_security_2(self):
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	174	with self.temporary_permissions(Personne={'read': ('users', 'managers'),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	175	'add': ('guests', 'users', 'managers')}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	176	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	177	self.assertRaises(Unauthorized, cnx.execute,
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	178	"SET X nom 'bidulechouette' WHERE X is Personne")
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	179	# test nothing has actually been inserted
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	180	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	181	self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	182
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	183	def test_update_security_3(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	184	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	185	cnx.execute("INSERT Personne X: X nom 'biduuule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	186	cnx.execute("INSERT Societe X: X nom 'looogilab'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	187	cnx.execute("SET X travaille S WHERE X nom 'biduuule', S nom 'looogilab'")
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	188
10114 6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	189	def test_insert_immutable_attribute_update(self):
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	190	with self.admin_access.repo_cnx() as cnx:
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	191	cnx.create_entity('Old', name=u'Babar')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	192	cnx.commit()
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	193	# this should be equivalent
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	194	o = cnx.create_entity('Old')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	195	o.cw_set(name=u'Celeste')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	196	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	197
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	198	def test_update_rql_permission(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	199	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	200	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	201	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	202	# test user can only update une affaire related to a societe he owns
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	203	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	204	cnx.execute("SET X sujet 'pascool' WHERE X is Affaire")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	205	# this won't actually do anything since the selection query won't return anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	206	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	207	# to actually get Unauthorized exception, try to update an entity we can read
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	208	cnx.execute("SET X nom 'toto' WHERE X is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	209	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	210	cnx.execute("INSERT Affaire X: X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	211	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	212	cnx.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	213	cnx.execute("SET X sujet 'habahsicestcool' WHERE X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	214	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	215
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	216	def test_delete_security(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	217	# FIXME: sample below fails because we don't detect "owner" can't delete
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	218	# user anyway, and since no user with login == 'bidule' exists, no
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	219	# exception is raised
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	220	#user._groups = {'guests':1}
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	221	#self.assertRaises(Unauthorized,
1398 5fe84a5f7035 rename internal entity types to have CW prefix instead of E sylvain.thenault@logilab.fr parents: 389 diff changeset	222	# self.o.execute, user, "DELETE CWUser X WHERE X login 'bidule'")
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	223	# check local security
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	224	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	225	self.assertRaises(Unauthorized, cnx.execute, "DELETE CWGroup Y WHERE Y name 'staff'")
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	226
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	227	def test_delete_rql_permission(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	228	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	229	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	230	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	231	# test user can only dele une affaire related to a societe he owns
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	232	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	233	# this won't actually do anything since the selection query won't return anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	234	cnx.execute("DELETE Affaire X")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	235	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	236	# to actually get Unauthorized exception, try to delete an entity we can read
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	237	self.assertRaises(Unauthorized, cnx.execute, "DELETE Societe S")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	238	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	239	cnx.rollback()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	240	cnx.execute("INSERT Affaire X: X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	241	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	242	cnx.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	243	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	244	## # this one should fail since it will try to delete two affaires, one authorized
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	245	## # and the other not
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	246	## self.assertRaises(Unauthorized, cnx.execute, "DELETE Affaire X")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	247	cnx.execute("DELETE Affaire X WHERE X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	248	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	249
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	250	def test_insert_relation_rql_permission(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	251	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	252	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	253	# should raise Unauthorized since user don't own S though this won't
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	254	# actually do anything since the selection query won't return
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	255	# anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	256	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	257	# to actually get Unauthorized exception, try to insert a relation
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	258	# were we can read both entities
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	259	rset = cnx.execute('Personne P')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	260	self.assertEqual(len(rset), 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	261	ent = rset.get_entity(0, 0)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	262	self.assertFalse(cnx.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe'))
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	263	self.assertRaises(Unauthorized, ent.cw_check_perm, 'update')
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	264	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	265	cnx.execute, "SET P travaille S WHERE P is Personne, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	266	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	267	cnx.rollback()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	268	# test nothing has actually been inserted:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	269	self.assertFalse(cnx.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe'))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	270	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	271	cnx.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	272	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	273
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	274	def test_delete_relation_rql_permission(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	275	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	276	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	277	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	278	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	279	# this won't actually do anything since the selection query won't return anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	280	cnx.execute("DELETE A concerne S")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	281	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	282	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	283	# to actually get Unauthorized exception, try to delete a relation we can read
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	284	eid = cnx.execute("INSERT Affaire X: X sujet 'pascool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	285	cnx.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	286	{'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	287	cnx.execute("SET A concerne S WHERE A sujet 'pascool', S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	288	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	289	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	290	self.assertRaises(Unauthorized, cnx.execute, "DELETE A concerne S")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	291	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	292	cnx.rollback()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	293	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	294	cnx.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	295	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	296	cnx.execute("DELETE A concerne S WHERE S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	297	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	298
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	299
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	300	def test_user_can_change_its_upassword(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	301	with self.admin_access.repo_cnx() as cnx:
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	302	ueid = self.create_user(cnx, u'user').eid
131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	303	with self.new_access(u'user').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	304	cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s',
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	305	{'x': ueid, 'passwd': b'newpwd'})
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	306	cnx.commit()
11195 5de859b95988 [session, repository] deprecate repo.connect and move .close reponsibility to session object Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 11057 diff changeset	307	session = self.repo.new_session('user', password='newpwd')
5de859b95988 [session, repository] deprecate repo.connect and move .close reponsibility to session object Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 11057 diff changeset	308	session.close()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	309
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	310	def test_user_cant_change_other_upassword(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	311	with self.admin_access.repo_cnx() as cnx:
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	312	ueid = self.create_user(cnx, u'otheruser').eid
131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	313	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	314	cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s',
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	315	{'x': ueid, 'passwd': b'newpwd'})
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	316	self.assertRaises(Unauthorized, cnx.commit)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	317
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	318	# read security test
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	319
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	320	def test_read_base(self):
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	321	with self.temporary_permissions(Personne={'read': ('users', 'managers')}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	322	with self.new_access(u'anon').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	323	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	324	cnx.execute, 'Personne U where U nom "managers"')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	325
321 247947250382 fix security bug w/ query using 'NOT X eid 123' Sylvain Thenault <sylvain.thenault@logilab.fr> parents: 0 diff changeset	326	def test_read_erqlexpr_base(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	327	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	328	eid = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	329	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	330	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	331	rset = cnx.execute('Affaire X')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	332	self.assertEqual(rset.rows, [])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	333	self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	334	# cache test
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	335	self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	336	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	337	soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	338	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	339	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	340	rset = cnx.execute('Any X WHERE X eid %(x)s', {'x': aff2})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	341	self.assertEqual(rset.rows, [[aff2]])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	342	# more cache test w/ NOT eid
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	343	rset = cnx.execute('Affaire X WHERE NOT X eid %(x)s', {'x': eid})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	344	self.assertEqual(rset.rows, [[aff2]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	345	rset = cnx.execute('Affaire X WHERE NOT X eid %(x)s', {'x': aff2})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	346	self.assertEqual(rset.rows, [])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	347	# test can't update an attribute of an entity that can't be readen
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	348	self.assertRaises(Unauthorized, cnx.execute,
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	349	'SET X sujet "hacked" WHERE X eid %(x)s', {'x': eid})
4765 c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	350
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	351
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	352	def test_entity_created_in_transaction(self):
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	353	affschema = self.schema['Affaire']
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	354	with self.temporary_permissions(Affaire={'read': affschema.permissions['add']}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	355	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	356	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	357	# entity created in transaction are readable by eid
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	358	self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':aff2}))
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	359	# XXX would be nice if it worked
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	360	rset = cnx.execute("Affaire X WHERE X sujet 'cool'")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	361	self.assertEqual(len(rset), 0)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	362	self.assertRaises(Unauthorized, cnx.commit)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	363
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	364	def test_read_erqlexpr_has_text1(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	365	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	366	aff1 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	367	card1 = cnx.execute("INSERT Card X: X title 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	368	cnx.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	369	{'x': card1})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	370	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	371	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	372	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	373	soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	374	cnx.execute("SET A concerne S WHERE A eid %(a)s, S eid %(s)s", {'a': aff2, 's': soc1})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	375	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	376	self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x':aff1})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	377	self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':aff2}))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	378	self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':card1}))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	379	rset = cnx.execute("Any X WHERE X has_text 'cool'")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	380	self.assertEqual(sorted(eid for eid, in rset.rows),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	381	[card1, aff2])
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	382
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	383	def test_read_erqlexpr_has_text2(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	384	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	385	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	386	cnx.execute("INSERT Societe X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	387	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	388	with self.temporary_permissions(Personne={'read': ('managers',)}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	389	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	390	rset = cnx.execute('Any N WHERE N has_text "bidule"')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	391	self.assertEqual(len(rset.rows), 1, rset.rows)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	392	rset = cnx.execute('Any N WITH N BEING (Any N WHERE N has_text "bidule")')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	393	self.assertEqual(len(rset.rows), 1, rset.rows)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	394
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	395	def test_read_erqlexpr_optional_rel(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	396	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	397	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	398	cnx.execute("INSERT Societe X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	399	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	400	with self.temporary_permissions(Personne={'read': ('managers',)}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	401	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	402	rset = cnx.execute('Any N,U WHERE N has_text "bidule", N owned_by U?')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	403	self.assertEqual(len(rset.rows), 1, rset.rows)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	404
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	405	def test_read_erqlexpr_aggregat(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	406	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	407	cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	408	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	409	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	410	rset = cnx.execute('Any COUNT(X) WHERE X is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	411	self.assertEqual(rset.rows, [[0]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	412	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	413	soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	414	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	415	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	416	rset = cnx.execute('Any COUNT(X) WHERE X is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	417	self.assertEqual(rset.rows, [[1]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	418	rset = cnx.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	419	values = dict(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	420	self.assertEqual(values['Affaire'], 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	421	self.assertEqual(values['Societe'], 2)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	422	rset = cnx.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN '
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	423	'WITH X BEING ((Affaire X) UNION (Societe X))')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	424	self.assertEqual(len(rset), 2)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	425	values = dict(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	426	self.assertEqual(values['Affaire'], 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	427	self.assertEqual(values['Societe'], 2)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	428
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	429
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	430	def test_attribute_security(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	431	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	432	# only managers should be able to edit the 'test' attribute of Personne entities
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	433	eid = cnx.execute("INSERT Personne X: X nom 'bidule', "
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	434	"X web 'http://www.debian.org', X test TRUE")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	435	cnx.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	436	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	437	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	438	cnx.execute("INSERT Personne X: X nom 'bidule', "
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	439	"X web 'http://www.debian.org', X test TRUE")
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	440	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	441	cnx.execute("INSERT Personne X: X nom 'bidule', "
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	442	"X web 'http://www.debian.org', X test FALSE")
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	443	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	444	eid = cnx.execute("INSERT Personne X: X nom 'bidule', "
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	445	"X web 'http://www.debian.org'")[0][0]
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	446	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	447	cnx.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	448	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	449	cnx.execute('SET X test TRUE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	450	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	451	cnx.execute('SET X web "http://www.logilab.org" WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	452	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	453	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9984 793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	454	cnx.execute('INSERT Frozable F: F name "Foo"')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	455	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	456	cnx.execute('SET F name "Bar" WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	457	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	458	cnx.execute('SET F name "BaBar" WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	459	cnx.execute('SET F frozen True WHERE F is Frozable')
9981 7099bbd685aa [hooks/security] allow edition of attributes with permissive permissions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	460	with self.assertRaises(Unauthorized):
9984 793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	461	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	462	cnx.rollback()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	463	cnx.execute('SET F frozen True WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	464	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	465	cnx.execute('SET F name "Bar" WHERE F is Frozable')
9981 7099bbd685aa [hooks/security] allow edition of attributes with permissive permissions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	466	with self.assertRaises(Unauthorized):
9984 793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	467	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	468
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	469	def test_attribute_security_rqlexpr(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	470	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	471	# Note.para attribute editable by managers or if the note is in "todo" state
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	472	note = cnx.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	473	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	474	note.cw_adapt_to('IWorkflowable').fire_transition('markasdone')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	475	cnx.execute('SET X para "truc" WHERE X eid %(x)s', {'x': note.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	476	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	477	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	478	cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	479	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	480	note2 = cnx.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	481	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	482	note2.cw_adapt_to('IWorkflowable').fire_transition('markasdone')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	483	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	484	self.assertEqual(len(cnx.execute('Any X WHERE X in_state S, S name "todo", X eid %(x)s',
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	485	{'x': note2.eid})),
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	486	0)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	487	cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	488	self.assertRaises(Unauthorized, cnx.commit)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	489	note2.cw_adapt_to('IWorkflowable').fire_transition('redoit')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	490	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	491	cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	492	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	493	cnx.execute("INSERT Note X: X something 'A'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	494	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	495	cnx.execute("INSERT Note X: X para 'zogzog', X something 'A'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	496	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	497	note = cnx.execute("INSERT Note X").get_entity(0,0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	498	cnx.commit()
9395 96dba2efd16d [hooks/security] provide attribute "add" permission Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 8694 diff changeset	499	note.cw_set(something=u'B')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	500	cnx.commit()
9395 96dba2efd16d [hooks/security] provide attribute "add" permission Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 8694 diff changeset	501	note.cw_set(something=None, para=u'zogzog')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	502	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	503
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	504	def test_attribute_read_security(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	505	# anon not allowed to see users'login, but they can see users
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	506	login_rdef = self.repo.schema['CWUser'].rdef('login')
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	507	with self.temporary_permissions((login_rdef, {'read': ('users', 'managers')}),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	508	CWUser={'read': ('guests', 'users', 'managers')}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	509	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	510	rset = cnx.execute('CWUser X')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	511	self.assertTrue(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	512	x = rset.get_entity(0, 0)
10463 9add9b7f9df7 [server/test] fix random error in unittest_security Julien Cristau <julien.cristau@logilab.fr> parents: 10249 diff changeset	513	x.complete()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	514	self.assertEqual(x.login, None)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	515	self.assertTrue(x.creation_date)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	516	x = rset.get_entity(1, 0)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	517	x.complete()
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	518	self.assertEqual(x.login, None)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	519	self.assertTrue(x.creation_date)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	520
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	521	def test_yams_inheritance_and_security_bug(self):
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	522	with self.temporary_permissions(Division={'read': ('managers',
b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	523	ERQLExpression('X owned_by U'))}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	524	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	525	querier = cnx.repo.querier
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	526	rqlst = querier.parse('Any X WHERE X is_instance_of Societe')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	527	querier.solutions(cnx, rqlst, {})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	528	querier._annotate(rqlst)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	529	plan = querier.plan_factory(rqlst, {}, cnx)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	530	plan.preprocess(rqlst)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	531	self.assertEqual(
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	532	rqlst.as_string(),
10249 e38b8d37c5d8 [rqlrewrite] sort possible types when turning is_instance_of into is Julien Cristau <julien.cristau@logilab.fr> parents: 10248 diff changeset	533	'(Any X WHERE X is IN(Societe, SubDivision)) UNION '
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	534	'(Any X WHERE X is Division, EXISTS(X owned_by %(B)s))')
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	535
1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	536
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	537	class BaseSchemaSecurityTC(BaseSecurityTC):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	538	"""tests related to the base schema permission configuration"""
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	539
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	540	def test_user_can_delete_object_he_created(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	541	# even if some other user have changed object'state
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	542	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	543	# due to security test, affaire has to concerne a societe the user owns
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	544	cnx.execute('INSERT Societe X: X nom "ARCTIA"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	545	cnx.execute('INSERT Affaire X: X ref "ARCT01", X concerne S WHERE S nom "ARCTIA"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	546	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	547	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	548	affaire = cnx.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	549	affaire.cw_adapt_to('IWorkflowable').fire_transition('abort')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	550	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	551	self.assertEqual(len(cnx.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01"')),
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	552	1)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	553	self.assertEqual(len(cnx.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01",'
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	554	'X owned_by U, U login "admin"')),
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	555	1) # TrInfo at the above state change
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	556	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	557	cnx.execute('DELETE Affaire X WHERE X ref "ARCT01"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	558	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	559	self.assertFalse(cnx.execute('Affaire X'))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	560
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	561	def test_users_and_groups_non_readable_by_guests(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	562	with self.repo.internal_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	563	admineid = cnx.execute('CWUser U WHERE U login "admin"').rows[0][0]
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	564	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	565	anon = cnx.user
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	566	# anonymous user can only read itself
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	567	rset = cnx.execute('Any L WHERE X owned_by U, U login L')
8624 7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests` Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	568	self.assertEqual([['anon']], rset.rows)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	569	rset = cnx.execute('CWUser X')
8624 7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests` Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	570	self.assertEqual([[anon.eid]], rset.rows)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	571	# anonymous user can read groups (necessary to check allowed transitions for instance)
10600 180aa08cad48 [tests] Replace use of deprecated TestCase.assert_ Rémi Cardona <remi.cardona@logilab.fr> parents: 10463 diff changeset	572	self.assertTrue(cnx.execute('CWGroup X'))
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	573	# should only be able to read the anonymous user, not another one
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	574	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	575	cnx.execute, 'CWUser X WHERE X eid %(x)s', {'x': admineid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	576	rset = cnx.execute('CWUser X WHERE X eid %(x)s', {'x': anon.eid})
8624 7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests` Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	577	self.assertEqual([[anon.eid]], rset.rows)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	578	# but can't modify it
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	579	cnx.execute('SET X login "toto" WHERE X eid %(x)s', {'x': anon.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	580	self.assertRaises(Unauthorized, cnx.commit)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	581
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	582	def test_in_group_relation(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	583	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	584	rql = u"DELETE U in_group G WHERE U login 'admin'"
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	585	self.assertRaises(Unauthorized, cnx.execute, rql)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	586	rql = u"SET U in_group G WHERE U login 'admin', G name 'users'"
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	587	self.assertRaises(Unauthorized, cnx.execute, rql)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	588
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	589	def test_owned_by(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	590	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	591	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	592	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	593	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	594	rql = u"SET X owned_by U WHERE U login 'iaminusersgrouponly', X is Personne"
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	595	self.assertRaises(Unauthorized, cnx.execute, rql)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	596
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	597	def test_bookmarked_by_guests_security(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	598	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	599	beid1 = cnx.execute('INSERT Bookmark B: B path "?vid=manage", B title "manage"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	600	beid2 = cnx.execute('INSERT Bookmark B: B path "?vid=index", B title "index", '
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	601	'B bookmarked_by U WHERE U login "anon"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	602	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	603	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	604	anoneid = cnx.user.eid
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	605	self.assertEqual(cnx.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,'
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	606	'B bookmarked_by U, U eid %s' % anoneid).rows,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	607	[['index', '?vid=index']])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	608	self.assertEqual(cnx.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,'
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	609	'B bookmarked_by U, U eid %(x)s', {'x': anoneid}).rows,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	610	[['index', '?vid=index']])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	611	# can read others bookmarks as well
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	612	self.assertEqual(cnx.execute('Any B where B is Bookmark, NOT B bookmarked_by U').rows,
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	613	[[beid1]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	614	self.assertRaises(Unauthorized, cnx.execute,'DELETE B bookmarked_by U')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	615	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	616	cnx.execute, 'SET B bookmarked_by U WHERE U eid %(x)s, B eid %(b)s',
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	617	{'x': anoneid, 'b': beid1})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	618
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	619	def test_ambigous_ordered(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	620	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	621	names = [t for t, in cnx.execute('Any N ORDERBY lower(N) WHERE X name N')]
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	622	self.assertEqual(names, sorted(names, key=lambda x: x.lower()))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	623
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	624	def test_in_state_without_update_perm(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	625	"""check a user change in_state without having update permission on the
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	626	subject
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	627	"""
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	628	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	629	eid = cnx.execute('INSERT Affaire X: X ref "ARCT01"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	630	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	631	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	632	# needed to remove rql expr granting update perm to the user
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	633	affschema = self.schema['Affaire']
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	634	with self.temporary_permissions(Affaire={'update': affschema.get_groups('update'),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	635	'read': ('users',)}):
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	636	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	637	affschema.check_perm, cnx, 'update', eid=eid)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	638	aff = cnx.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	639	aff.cw_adapt_to('IWorkflowable').fire_transition('abort')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	640	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	641	# though changing a user state (even logged user) is reserved to managers
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	642	user = cnx.user
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	643	# XXX wether it should raise Unauthorized or ValidationError is not clear
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	644	# the best would probably ValidationError if the transition doesn't exist
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	645	# from the current state but Unauthorized if it exists but user can't pass it
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	646	self.assertRaises(ValidationError,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	647	user.cw_adapt_to('IWorkflowable').fire_transition, 'deactivate')
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	648
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	649	def test_trinfo_security(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	650	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	651	aff = cnx.execute('INSERT Affaire X: X ref "ARCT01"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	652	iworkflowable = aff.cw_adapt_to('IWorkflowable')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	653	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	654	iworkflowable.fire_transition('abort')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	655	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	656	# can change tr info comment
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	657	cnx.execute('SET TI comment %(c)s WHERE TI wf_info_for X, X ref "ARCT01"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	658	{'c': u'bouh!'})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	659	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	660	aff.cw_clear_relation_cache('wf_info_for', 'object')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	661	trinfo = iworkflowable.latest_trinfo()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	662	self.assertEqual(trinfo.comment, 'bouh!')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	663	# but not from_state/to_state
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	664	aff.cw_clear_relation_cache('wf_info_for', role='object')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	665	self.assertRaises(Unauthorized, cnx.execute,
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	666	'SET TI from_state S WHERE TI eid %(ti)s, S name "ben non"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	667	{'ti': trinfo.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	668	self.assertRaises(Unauthorized, cnx.execute,
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	669	'SET TI to_state S WHERE TI eid %(ti)s, S name "pitetre"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	670	{'ti': trinfo.eid})
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	671
8161 6f4229eb8178 [test] fix test broken by 8158:2ee254e74382 and add a test for that change Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8075 diff changeset	672	def test_emailaddress_security(self):
8649 8fbb2f65721e [test] precheck initial condition Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	673	# check for prexisting email adresse
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	674	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	675	if cnx.execute('Any X WHERE X is EmailAddress'):
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	676	rset = cnx.execute('Any X, U WHERE X is EmailAddress, U use_email X')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	677	msg = ['Preexisting email readable by anon found!']
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	678	tmpl = ' - "%s" used by user "%s"'
10609 e2d8e81bfe68 [py3k] import range using six.moves Rémi Cardona <remi.cardona@logilab.fr> parents: 10600 diff changeset	679	for i in range(len(rset)):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	680	email, user = rset.get_entity(i, 0), rset.get_entity(i, 1)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	681	msg.append(tmpl % (email.dc_title(), user.dc_title()))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	682	raise RuntimeError('\n'.join(msg))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	683	# actual test
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	684	cnx.execute('INSERT EmailAddress X: X address "hop"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	685	cnx.execute('INSERT EmailAddress X: X address "anon", '
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	686	'U use_email X WHERE U login "anon"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	687	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	688	self.assertEqual(len(cnx.execute('Any X WHERE X is EmailAddress')), 2)
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	689	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	690	self.assertEqual(len(cnx.execute('Any X WHERE X is EmailAddress')), 1)
8161 6f4229eb8178 [test] fix test broken by 8158:2ee254e74382 and add a test for that change Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8075 diff changeset	691
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	692	if __name__ == '__main__':
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	693	unittest_main()

author	Sylvain Thénault <sylvain.thenault@logilab.fr>
	Thu, 26 May 2016 15:38:39 +0200
changeset 11477	3b4d41566de3
parent 11348	70337ad23145
child 11699	b48020a80dc3
permissions	-rw-r--r--