33 def setup_database(self): |
33 def setup_database(self): |
34 super(BaseSecurityTC, self).setup_database() |
34 super(BaseSecurityTC, self).setup_database() |
35 with self.admin_access.client_cnx() as cnx: |
35 with self.admin_access.client_cnx() as cnx: |
36 self.create_user(cnx, u'iaminusersgrouponly') |
36 self.create_user(cnx, u'iaminusersgrouponly') |
37 hash = _CRYPTO_CTX.encrypt('oldpassword', scheme='des_crypt') |
37 hash = _CRYPTO_CTX.encrypt('oldpassword', scheme='des_crypt') |
38 self.create_user(cnx, u'oldpassword', password=Binary(hash)) |
38 self.create_user(cnx, u'oldpassword', password=Binary(hash.encode('ascii'))) |
39 |
39 |
40 class LowLevelSecurityFunctionTC(BaseSecurityTC): |
40 class LowLevelSecurityFunctionTC(BaseSecurityTC): |
41 |
41 |
42 def test_check_relation_read_access(self): |
42 def test_check_relation_read_access(self): |
43 rql = u'Personne U WHERE U nom "managers"' |
43 rql = u'Personne U WHERE U nom "managers"' |
79 def test_update_password(self): |
79 def test_update_password(self): |
80 """Ensure that if a user's password is stored with a deprecated hash, |
80 """Ensure that if a user's password is stored with a deprecated hash, |
81 it will be updated on next login |
81 it will be updated on next login |
82 """ |
82 """ |
83 with self.repo.internal_cnx() as cnx: |
83 with self.repo.internal_cnx() as cnx: |
84 oldhash = str(cnx.system_sql("SELECT cw_upassword FROM cw_CWUser " |
84 oldhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser " |
85 "WHERE cw_login = 'oldpassword'").fetchone()[0]) |
85 "WHERE cw_login = 'oldpassword'").fetchone()[0] |
|
86 oldhash = self.repo.system_source.binary_to_str(oldhash) |
86 self.repo.close(self.repo.connect('oldpassword', password='oldpassword')) |
87 self.repo.close(self.repo.connect('oldpassword', password='oldpassword')) |
87 newhash = str(cnx.system_sql("SELECT cw_upassword FROM cw_CWUser " |
88 newhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser " |
88 "WHERE cw_login = 'oldpassword'").fetchone()[0]) |
89 "WHERE cw_login = 'oldpassword'").fetchone()[0] |
|
90 newhash = self.repo.system_source.binary_to_str(newhash) |
89 self.assertNotEqual(oldhash, newhash) |
91 self.assertNotEqual(oldhash, newhash) |
90 self.assertTrue(newhash.startswith('$6$')) |
92 self.assertTrue(newhash.startswith(b'$6$')) |
91 self.repo.close(self.repo.connect('oldpassword', password='oldpassword')) |
93 self.repo.close(self.repo.connect('oldpassword', password='oldpassword')) |
92 self.assertEqual(newhash, |
94 newnewhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser WHERE " |
93 str(cnx.system_sql("SELECT cw_upassword FROM cw_CWUser WHERE " |
95 "cw_login = 'oldpassword'").fetchone()[0] |
94 "cw_login = 'oldpassword'").fetchone()[0])) |
96 newnewhash = self.repo.system_source.binary_to_str(newnewhash) |
|
97 self.assertEqual(newhash, newnewhash) |
95 |
98 |
96 |
99 |
97 class SecurityRewritingTC(BaseSecurityTC): |
100 class SecurityRewritingTC(BaseSecurityTC): |
98 def hijack_source_execute(self): |
101 def hijack_source_execute(self): |
99 def syntax_tree_search(*args, **kwargs): |
102 def syntax_tree_search(*args, **kwargs): |
293 def test_user_can_change_its_upassword(self): |
296 def test_user_can_change_its_upassword(self): |
294 with self.admin_access.repo_cnx() as cnx: |
297 with self.admin_access.repo_cnx() as cnx: |
295 ueid = self.create_user(cnx, u'user').eid |
298 ueid = self.create_user(cnx, u'user').eid |
296 with self.new_access(u'user').repo_cnx() as cnx: |
299 with self.new_access(u'user').repo_cnx() as cnx: |
297 cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s', |
300 cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s', |
298 {'x': ueid, 'passwd': 'newpwd'}) |
301 {'x': ueid, 'passwd': b'newpwd'}) |
299 cnx.commit() |
302 cnx.commit() |
300 self.repo.close(self.repo.connect('user', password='newpwd')) |
303 self.repo.close(self.repo.connect('user', password='newpwd')) |
301 |
304 |
302 def test_user_cant_change_other_upassword(self): |
305 def test_user_cant_change_other_upassword(self): |
303 with self.admin_access.repo_cnx() as cnx: |
306 with self.admin_access.repo_cnx() as cnx: |
304 ueid = self.create_user(cnx, u'otheruser').eid |
307 ueid = self.create_user(cnx, u'otheruser').eid |
305 with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
308 with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: |
306 cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s', |
309 cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s', |
307 {'x': ueid, 'passwd': 'newpwd'}) |
310 {'x': ueid, 'passwd': b'newpwd'}) |
308 self.assertRaises(Unauthorized, cnx.commit) |
311 self.assertRaises(Unauthorized, cnx.commit) |
309 |
312 |
310 # read security test |
313 # read security test |
311 |
314 |
312 def test_read_base(self): |
315 def test_read_base(self): |