# copyright 2003-2014 LOGILAB S.A. (Paris, FRANCE), all rights reserved.

# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr

#

# This file is part of CubicWeb.

#

# CubicWeb is free software: you can redistribute it and/or modify it under the

# terms of the GNU Lesser General Public License as published by the Free

# Software Foundation, either version 2.1 of the License, or (at your option)

# any later version.

#

# CubicWeb is distributed in the hope that it will be useful, but WITHOUT

# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS

# FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more

# details.

#

# You should have received a copy of the GNU Lesser General Public License along

# with CubicWeb.  If not, see <http://www.gnu.org/licenses/>.

"""functional tests for server'security"""

from logilab.common.testlib import unittest_main

from cubicweb.devtools.testlib import CubicWebTC

from cubicweb import Unauthorized, ValidationError, QueryError, Binary

from cubicweb.schema import ERQLExpression

from cubicweb.server.querier import get_local_checks, check_relations_read_access

from cubicweb.server.utils import _CRYPTO_CTX

class BaseSecurityTC(CubicWebTC):

    def setup_database(self):

        super(BaseSecurityTC, self).setup_database()

        with self.admin_access.client_cnx() as cnx:

            self.create_user(cnx, u'iaminusersgrouponly')

            hash = _CRYPTO_CTX.encrypt('oldpassword', scheme='des_crypt')

            self.create_user(cnx, u'oldpassword', password=Binary(hash))

class LowLevelSecurityFunctionTC(BaseSecurityTC):

    def test_check_relation_read_access(self):

        rql = u'Personne U WHERE U nom "managers"'

        rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]

        nom = self.repo.schema['Personne'].rdef('nom')

        with self.temporary_permissions((nom, {'read': ('users', 'managers')})):

            with self.admin_access.repo_cnx() as cnx:

                self.repo.vreg.solutions(cnx, rqlst, None)

                check_relations_read_access(cnx, rqlst, {})

            with self.new_access(u'anon').repo_cnx() as cnx:

                self.assertRaises(Unauthorized,

                                  check_relations_read_access,

                                  cnx, rqlst, {})

                self.assertRaises(Unauthorized, cnx.execute, rql)

    def test_get_local_checks(self):

        rql = u'Personne U WHERE U nom "managers"'

        rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]

        with self.temporary_permissions(Personne={'read': ('users', 'managers')}):

            with self.admin_access.repo_cnx() as cnx:

                self.repo.vreg.solutions(cnx, rqlst, None)

                solution = rqlst.solutions[0]

                localchecks = get_local_checks(cnx, rqlst, solution)

                self.assertEqual({}, localchecks)

            with self.new_access(u'anon').repo_cnx() as cnx:

                self.assertRaises(Unauthorized,

                                  get_local_checks,

                                  cnx, rqlst, solution)

                self.assertRaises(Unauthorized, cnx.execute, rql)

    def test_upassword_not_selectable(self):

        with self.admin_access.repo_cnx() as cnx:

            self.assertRaises(Unauthorized,

                              cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P')

        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:

            self.assertRaises(Unauthorized,

                              cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P')

    def test_update_password(self):

        """Ensure that if a user's password is stored with a deprecated hash,

        it will be updated on next login

        """

        with self.repo.internal_cnx() as cnx:

            oldhash = str(cnx.system_sql("SELECT cw_upassword FROM cw_CWUser "

                                         "WHERE cw_login = 'oldpassword'").fetchone()[0])

            self.repo.close(self.repo.connect('oldpassword', password='oldpassword'))

            newhash = str(cnx.system_sql("SELECT cw_upassword FROM cw_CWUser "

                                         "WHERE cw_login = 'oldpassword'").fetchone()[0])

            self.assertNotEqual(oldhash, newhash)

            self.assertTrue(newhash.startswith('$6$'))

            self.repo.close(self.repo.connect('oldpassword', password='oldpassword'))

            self.assertEqual(newhash,

                             str(cnx.system_sql("SELECT cw_upassword FROM cw_CWUser WHERE "

                                                "cw_login = 'oldpassword'").fetchone()[0]))

class SecurityRewritingTC(BaseSecurityTC):

    def hijack_source_execute(self):

        def syntax_tree_search(*args, **kwargs):

            self.query = (args, kwargs)

            return []

        self.repo.system_source.syntax_tree_search = syntax_tree_search

    def tearDown(self):

        self.repo.system_source.__dict__.pop('syntax_tree_search', None)

        super(SecurityRewritingTC, self).tearDown()

    def test_not_relation_read_security(self):

        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:

            self.hijack_source_execute()

            cnx.execute('Any U WHERE NOT A todo_by U, A is Affaire')

            self.assertEqual(self.query[0][1].as_string(),

                              'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')

            cnx.execute('Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')

            self.assertEqual(self.query[0][1].as_string(),

                              'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')

class SecurityTC(BaseSecurityTC):

    def setUp(self):

        super(SecurityTC, self).setUp()

        # implicitly test manager can add some entities

        with self.admin_access.repo_cnx() as cnx:

            cnx.execute("INSERT Affaire X: X sujet 'cool'")

            cnx.execute("INSERT Societe X: X nom 'logilab'")

            cnx.execute("INSERT Personne X: X nom 'bidule'")

            cnx.execute('INSERT CWGroup X: X name "staff"')

            cnx.commit()

    def test_insert_security(self):

        with self.new_access(u'anon').repo_cnx() as cnx:

            cnx.execute("INSERT Personne X: X nom 'bidule'")

            self.assertRaises(Unauthorized, cnx.commit)

            self.assertEqual(cnx.execute('Personne X').rowcount, 1)

    def test_insert_security_2(self):

        with self.new_access(u'anon').repo_cnx() as cnx:

            cnx.execute("INSERT Affaire X")

            self.assertRaises(Unauthorized, cnx.commit)

            # anon has no read permission on Affaire entities, so

            # rowcount == 0

            self.assertEqual(cnx.execute('Affaire X').rowcount, 0)

    def test_insert_rql_permission(self):

        # test user can only add une affaire related to a societe he owns

        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:

            cnx.execute("INSERT Affaire X: X sujet 'cool'")

            self.assertRaises(Unauthorized, cnx.commit)

        # test nothing has actually been inserted

        with self.admin_access.repo_cnx() as cnx:

            self.assertEqual(cnx.execute('Affaire X').rowcount, 1)

        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:

            cnx.execute("INSERT Affaire X: X sujet 'cool'")

            cnx.execute("INSERT Societe X: X nom 'chouette'")

            cnx.execute("SET A concerne S WHERE A sujet 'cool', S nom 'chouette'")

            cnx.commit()

    def test_update_security_1(self):

        with self.new_access(u'anon').repo_cnx() as cnx:

            # local security check

            cnx.execute( "SET X nom 'bidulechouette' WHERE X is Personne")

            self.assertRaises(Unauthorized, cnx.commit)

        with self.admin_access.repo_cnx() as cnx:

            self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)

    def test_update_security_2(self):

        with self.temporary_permissions(Personne={'read': ('users', 'managers'),

                                                  'add': ('guests', 'users', 'managers')}):

            with self.new_access(u'anon').repo_cnx() as cnx:

                self.assertRaises(Unauthorized, cnx.execute,

                                  "SET X nom 'bidulechouette' WHERE X is Personne")

        # test nothing has actually been inserted

        with self.admin_access.repo_cnx() as cnx:

            self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)

    def test_update_security_3(self):

        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:

            cnx.execute("INSERT Personne X: X nom 'biduuule'")

            cnx.execute("INSERT Societe X: X nom 'looogilab'")

            cnx.execute("SET X travaille S WHERE X nom 'biduuule', S nom 'looogilab'")

    def test_insert_immutable_attribute_update(self):

        with self.admin_access.repo_cnx() as cnx:

            cnx.create_entity('Old', name=u'Babar')

            cnx.commit()

            # this should be equivalent

            o = cnx.create_entity('Old')

            o.cw_set(name=u'Celeste')

            cnx.commit()

    def test_update_rql_permission(self):

        with self.admin_access.repo_cnx() as cnx:

            cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")

            cnx.commit()

        # test user can only update une affaire related to a societe he owns

        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:

            cnx.execute("SET X sujet 'pascool' WHERE X is Affaire")

            # this won't actually do anything since the selection query won't return anything

            cnx.commit()

            # to actually get Unauthorized exception, try to update an entity we can read

            cnx.execute("SET X nom 'toto' WHERE X is Societe")

            self.assertRaises(Unauthorized, cnx.commit)

            cnx.execute("INSERT Affaire X: X sujet 'pascool'")

            cnx.execute("INSERT Societe X: X nom 'chouette'")

            cnx.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'")

            cnx.execute("SET X sujet 'habahsicestcool' WHERE X sujet 'pascool'")

            cnx.commit()

    def test_delete_security(self):

        # FIXME: sample below fails because we don't detect "owner" can't delete

        # user anyway, and since no user with login == 'bidule' exists, no

        # exception is raised

        #user._groups = {'guests':1}

        #self.assertRaises(Unauthorized,

        #                  self.o.execute, user, "DELETE CWUser X WHERE X login 'bidule'")

        # check local security

        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:

            self.assertRaises(Unauthorized, cnx.execute, "DELETE CWGroup Y WHERE Y name 'staff'")

    def test_delete_rql_permission(self):

        with self.admin_access.repo_cnx() as cnx:

            cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")

            cnx.commit()

        # test user can only dele une affaire related to a societe he owns

        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:

            # this won't actually do anything since the selection query won't return anything

            cnx.execute("DELETE Affaire X")

            cnx.commit()

            # to actually get Unauthorized exception, try to delete an entity we can read

            self.assertRaises(Unauthorized, cnx.execute, "DELETE Societe S")

            self.assertRaises(QueryError, cnx.commit) # can't commit anymore

            cnx.rollback()

            cnx.execute("INSERT Affaire X: X sujet 'pascool'")

            cnx.execute("INSERT Societe X: X nom 'chouette'")

            cnx.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'")

            cnx.commit()

##         # this one should fail since it will try to delete two affaires, one authorized

##         # and the other not

##         self.assertRaises(Unauthorized, cnx.execute, "DELETE Affaire X")

            cnx.execute("DELETE Affaire X WHERE X sujet 'pascool'")

            cnx.commit()

    def test_insert_relation_rql_permission(self):

        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:

            cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")

            # should raise Unauthorized since user don't own S though this won't

            # actually do anything since the selection query won't return

            # anything

            cnx.commit()

            # to actually get Unauthorized exception, try to insert a relation

            # were we can read both entities

            rset = cnx.execute('Personne P')

            self.assertEqual(len(rset), 1)

            ent = rset.get_entity(0, 0)

            self.assertFalse(cnx.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe'))

            self.assertRaises(Unauthorized, ent.cw_check_perm, 'update')

            self.assertRaises(Unauthorized,

                              cnx.execute, "SET P travaille S WHERE P is Personne, S is Societe")

            self.assertRaises(QueryError, cnx.commit) # can't commit anymore

            cnx.rollback()

            # test nothing has actually been inserted:

            self.assertFalse(cnx.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe'))

            cnx.execute("INSERT Societe X: X nom 'chouette'")

            cnx.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'")

            cnx.commit()

    def test_delete_relation_rql_permission(self):

        with self.admin_access.repo_cnx() as cnx:

            cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")

            cnx.commit()

        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:

            # this won't actually do anything since the selection query won't return anything

            cnx.execute("DELETE A concerne S")

            cnx.commit()

        with self.admin_access.repo_cnx() as cnx:

            # to actually get Unauthorized exception, try to delete a relation we can read

            eid = cnx.execute("INSERT Affaire X: X sujet 'pascool'")[0][0]

            cnx.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"',

                         {'x': eid})

            cnx.execute("SET A concerne S WHERE A sujet 'pascool', S is Societe")

            cnx.commit()

        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:

            self.assertRaises(Unauthorized, cnx.execute, "DELETE A concerne S")

            self.assertRaises(QueryError, cnx.commit) # can't commit anymore

            cnx.rollback()

            cnx.execute("INSERT Societe X: X nom 'chouette'")

            cnx.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'")

            cnx.commit()

            cnx.execute("DELETE A concerne S WHERE S nom 'chouette'")

            cnx.commit()

    def test_user_can_change_its_upassword(self):

        with self.admin_access.repo_cnx() as cnx:

            ueid = self.create_user(cnx, u'user').eid

        with self.new_access(u'user').repo_cnx() as cnx:

            cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s',

                       {'x': ueid, 'passwd': 'newpwd'})

            cnx.commit()

        self.repo.close(self.repo.connect('user', password='newpwd'))

    def test_user_cant_change_other_upassword(self):

        with self.admin_access.repo_cnx() as cnx:

            ueid = self.create_user(cnx, u'otheruser').eid

        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:

            cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s',

                       {'x': ueid, 'passwd': 'newpwd'})

            self.assertRaises(Unauthorized, cnx.commit)

    # read security test

    def test_read_base(self):

        with self.temporary_permissions(Personne={'read': ('users', 'managers')}):

            with self.new_access(u'anon').repo_cnx() as cnx:

                self.assertRaises(Unauthorized,

                                  cnx.execute, 'Personne U where U nom "managers"')

    def test_read_erqlexpr_base(self):

        with self.admin_access.repo_cnx() as cnx:

            eid = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]

            cnx.commit()

        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:

            rset = cnx.execute('Affaire X')

            self.assertEqual(rset.rows, [])

            self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid})

            # cache test

            self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid})

            aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]

            soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]

            cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")

            cnx.commit()

            rset = cnx.execute('Any X WHERE X eid %(x)s', {'x': aff2})

            self.assertEqual(rset.rows, [[aff2]])

            # more cache test w/ NOT eid

            rset = cnx.execute('Affaire X WHERE NOT X eid %(x)s', {'x': eid})

            self.assertEqual(rset.rows, [[aff2]])

            rset = cnx.execute('Affaire X WHERE NOT X eid %(x)s', {'x': aff2})

            self.assertEqual(rset.rows, [])

            # test can't update an attribute of an entity that can't be readen

            self.assertRaises(Unauthorized, cnx.execute,

                              'SET X sujet "hacked" WHERE X eid %(x)s', {'x': eid})

    def test_entity_created_in_transaction(self):

        affschema = self.schema['Affaire']

        with self.temporary_permissions(Affaire={'read': affschema.permissions['add']}):

            with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:

                aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]

                # entity created in transaction are readable *by eid*

                self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':aff2}))