# HG changeset patch # User Julien Cristau # Date 1423824454 -3600 # Node ID 131275d6c268c8b1bc8754ec538d3d623bae0c88 # Parent 7efcfb87b9247452cd7b85bd68b83706070ec29a [server/test] use unicode strings for user logins diff -r 7efcfb87b924 -r 131275d6c268 server/test/unittest_security.py --- a/server/test/unittest_security.py Fri Feb 13 10:00:32 2015 +0100 +++ b/server/test/unittest_security.py Fri Feb 13 11:47:34 2015 +0100 @@ -31,9 +31,9 @@ def setup_database(self): super(BaseSecurityTC, self).setup_database() with self.admin_access.client_cnx() as cnx: - self.create_user(cnx, 'iaminusersgrouponly') + self.create_user(cnx, u'iaminusersgrouponly') hash = _CRYPTO_CTX.encrypt('oldpassword', scheme='des_crypt') - self.create_user(cnx, 'oldpassword', password=Binary(hash)) + self.create_user(cnx, u'oldpassword', password=Binary(hash)) class LowLevelSecurityFunctionTC(BaseSecurityTC): @@ -45,7 +45,7 @@ with self.admin_access.repo_cnx() as cnx: self.repo.vreg.solutions(cnx, rqlst, None) check_relations_read_access(cnx, rqlst, {}) - with self.new_access('anon').repo_cnx() as cnx: + with self.new_access(u'anon').repo_cnx() as cnx: self.assertRaises(Unauthorized, check_relations_read_access, cnx, rqlst, {}) @@ -60,7 +60,7 @@ solution = rqlst.solutions[0] localchecks = get_local_checks(cnx, rqlst, solution) self.assertEqual({}, localchecks) - with self.new_access('anon').repo_cnx() as cnx: + with self.new_access(u'anon').repo_cnx() as cnx: self.assertRaises(Unauthorized, get_local_checks, cnx, rqlst, solution) @@ -70,7 +70,7 @@ with self.admin_access.repo_cnx() as cnx: self.assertRaises(Unauthorized, cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P') - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: self.assertRaises(Unauthorized, cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P') @@ -104,7 +104,7 @@ super(SecurityRewritingTC, self).tearDown() def test_not_relation_read_security(self): - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: self.hijack_source_execute() cnx.execute('Any U WHERE NOT A todo_by U, A is Affaire') self.assertEqual(self.query[0][1].as_string(), @@ -126,13 +126,13 @@ cnx.commit() def test_insert_security(self): - with self.new_access('anon').repo_cnx() as cnx: + with self.new_access(u'anon').repo_cnx() as cnx: cnx.execute("INSERT Personne X: X nom 'bidule'") self.assertRaises(Unauthorized, cnx.commit) self.assertEqual(cnx.execute('Personne X').rowcount, 1) def test_insert_security_2(self): - with self.new_access('anon').repo_cnx() as cnx: + with self.new_access(u'anon').repo_cnx() as cnx: cnx.execute("INSERT Affaire X") self.assertRaises(Unauthorized, cnx.commit) # anon has no read permission on Affaire entities, so @@ -141,20 +141,20 @@ def test_insert_rql_permission(self): # test user can only add une affaire related to a societe he owns - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: cnx.execute("INSERT Affaire X: X sujet 'cool'") self.assertRaises(Unauthorized, cnx.commit) # test nothing has actually been inserted with self.admin_access.repo_cnx() as cnx: self.assertEqual(cnx.execute('Affaire X').rowcount, 1) - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: cnx.execute("INSERT Affaire X: X sujet 'cool'") cnx.execute("INSERT Societe X: X nom 'chouette'") cnx.execute("SET A concerne S WHERE A sujet 'cool', S nom 'chouette'") cnx.commit() def test_update_security_1(self): - with self.new_access('anon').repo_cnx() as cnx: + with self.new_access(u'anon').repo_cnx() as cnx: # local security check cnx.execute( "SET X nom 'bidulechouette' WHERE X is Personne") self.assertRaises(Unauthorized, cnx.commit) @@ -164,7 +164,7 @@ def test_update_security_2(self): with self.temporary_permissions(Personne={'read': ('users', 'managers'), 'add': ('guests', 'users', 'managers')}): - with self.new_access('anon').repo_cnx() as cnx: + with self.new_access(u'anon').repo_cnx() as cnx: self.assertRaises(Unauthorized, cnx.execute, "SET X nom 'bidulechouette' WHERE X is Personne") # test nothing has actually been inserted @@ -172,7 +172,7 @@ self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0) def test_update_security_3(self): - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: cnx.execute("INSERT Personne X: X nom 'biduuule'") cnx.execute("INSERT Societe X: X nom 'looogilab'") cnx.execute("SET X travaille S WHERE X nom 'biduuule', S nom 'looogilab'") @@ -191,7 +191,7 @@ cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe") cnx.commit() # test user can only update une affaire related to a societe he owns - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: cnx.execute("SET X sujet 'pascool' WHERE X is Affaire") # this won't actually do anything since the selection query won't return anything cnx.commit() @@ -212,7 +212,7 @@ #self.assertRaises(Unauthorized, # self.o.execute, user, "DELETE CWUser X WHERE X login 'bidule'") # check local security - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: self.assertRaises(Unauthorized, cnx.execute, "DELETE CWGroup Y WHERE Y name 'staff'") def test_delete_rql_permission(self): @@ -220,7 +220,7 @@ cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe") cnx.commit() # test user can only dele une affaire related to a societe he owns - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: # this won't actually do anything since the selection query won't return anything cnx.execute("DELETE Affaire X") cnx.commit() @@ -239,7 +239,7 @@ cnx.commit() def test_insert_relation_rql_permission(self): - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe") # should raise Unauthorized since user don't own S though this won't # actually do anything since the selection query won't return @@ -266,7 +266,7 @@ with self.admin_access.repo_cnx() as cnx: cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe") cnx.commit() - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: # this won't actually do anything since the selection query won't return anything cnx.execute("DELETE A concerne S") cnx.commit() @@ -277,7 +277,7 @@ {'x': eid}) cnx.execute("SET A concerne S WHERE A sujet 'pascool', S is Societe") cnx.commit() - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: self.assertRaises(Unauthorized, cnx.execute, "DELETE A concerne S") self.assertRaises(QueryError, cnx.commit) # can't commit anymore cnx.rollback() @@ -290,8 +290,8 @@ def test_user_can_change_its_upassword(self): with self.admin_access.repo_cnx() as cnx: - ueid = self.create_user(cnx, 'user').eid - with self.new_access('user').repo_cnx() as cnx: + ueid = self.create_user(cnx, u'user').eid + with self.new_access(u'user').repo_cnx() as cnx: cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s', {'x': ueid, 'passwd': 'newpwd'}) cnx.commit() @@ -299,8 +299,8 @@ def test_user_cant_change_other_upassword(self): with self.admin_access.repo_cnx() as cnx: - ueid = self.create_user(cnx, 'otheruser').eid - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + ueid = self.create_user(cnx, u'otheruser').eid + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s', {'x': ueid, 'passwd': 'newpwd'}) self.assertRaises(Unauthorized, cnx.commit) @@ -309,7 +309,7 @@ def test_read_base(self): with self.temporary_permissions(Personne={'read': ('users', 'managers')}): - with self.new_access('anon').repo_cnx() as cnx: + with self.new_access(u'anon').repo_cnx() as cnx: self.assertRaises(Unauthorized, cnx.execute, 'Personne U where U nom "managers"') @@ -317,7 +317,7 @@ with self.admin_access.repo_cnx() as cnx: eid = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0] cnx.commit() - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: rset = cnx.execute('Affaire X') self.assertEqual(rset.rows, []) self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid}) @@ -342,7 +342,7 @@ def test_entity_created_in_transaction(self): affschema = self.schema['Affaire'] with self.temporary_permissions(Affaire={'read': affschema.permissions['add']}): - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0] # entity created in transaction are readable *by eid* self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':aff2})) @@ -358,7 +358,7 @@ cnx.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"', {'x': card1}) cnx.commit() - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0] soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0] cnx.execute("SET A concerne S WHERE A eid %(a)s, S eid %(s)s", {'a': aff2, 's': soc1}) @@ -376,7 +376,7 @@ cnx.execute("INSERT Societe X: X nom 'bidule'") cnx.commit() with self.temporary_permissions(Personne={'read': ('managers',)}): - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: rset = cnx.execute('Any N WHERE N has_text "bidule"') self.assertEqual(len(rset.rows), 1, rset.rows) rset = cnx.execute('Any N WITH N BEING (Any N WHERE N has_text "bidule")') @@ -388,7 +388,7 @@ cnx.execute("INSERT Societe X: X nom 'bidule'") cnx.commit() with self.temporary_permissions(Personne={'read': ('managers',)}): - with self.new_access('anon').repo_cnx() as cnx: + with self.new_access(u'anon').repo_cnx() as cnx: rset = cnx.execute('Any N,U WHERE N has_text "bidule", N owned_by U?') self.assertEqual(len(rset.rows), 1, rset.rows) @@ -396,7 +396,7 @@ with self.admin_access.repo_cnx() as cnx: cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0] cnx.commit() - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: rset = cnx.execute('Any COUNT(X) WHERE X is Affaire') self.assertEqual(rset.rows, [[0]]) aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0] @@ -424,7 +424,7 @@ "X web 'http://www.debian.org', X test TRUE")[0][0] cnx.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid}) cnx.commit() - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: cnx.execute("INSERT Personne X: X nom 'bidule', " "X web 'http://www.debian.org', X test TRUE") self.assertRaises(Unauthorized, cnx.commit) @@ -440,7 +440,7 @@ self.assertRaises(Unauthorized, cnx.commit) cnx.execute('SET X web "http://www.logilab.org" WHERE X eid %(x)s', {'x': eid}) cnx.commit() - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: cnx.execute('INSERT Frozable F: F name "Foo"') cnx.commit() cnx.execute('SET F name "Bar" WHERE F is Frozable') @@ -464,7 +464,7 @@ note.cw_adapt_to('IWorkflowable').fire_transition('markasdone') cnx.execute('SET X para "truc" WHERE X eid %(x)s', {'x': note.eid}) cnx.commit() - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note.eid}) self.assertRaises(Unauthorized, cnx.commit) note2 = cnx.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0) @@ -496,7 +496,7 @@ login_rdef = self.repo.schema['CWUser'].rdef('login') with self.temporary_permissions((login_rdef, {'read': ('users', 'managers')}), CWUser={'read': ('guests', 'users', 'managers')}): - with self.new_access('anon').repo_cnx() as cnx: + with self.new_access(u'anon').repo_cnx() as cnx: rset = cnx.execute('CWUser X') self.assertTrue(rset) x = rset.get_entity(0, 0) @@ -510,7 +510,7 @@ def test_yams_inheritance_and_security_bug(self): with self.temporary_permissions(Division={'read': ('managers', ERQLExpression('X owned_by U'))}): - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: querier = cnx.repo.querier rqlst = querier.parse('Any X WHERE X is_instance_of Societe') querier.solutions(cnx, rqlst, {}) @@ -528,7 +528,7 @@ def test_user_can_delete_object_he_created(self): # even if some other user have changed object'state - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: # due to security test, affaire has to concerne a societe the user owns cnx.execute('INSERT Societe X: X nom "ARCTIA"') cnx.execute('INSERT Affaire X: X ref "ARCT01", X concerne S WHERE S nom "ARCTIA"') @@ -542,7 +542,7 @@ self.assertEqual(len(cnx.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01",' 'X owned_by U, U login "admin"')), 1) # TrInfo at the above state change - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: cnx.execute('DELETE Affaire X WHERE X ref "ARCT01"') cnx.commit() self.assertFalse(cnx.execute('Affaire X')) @@ -550,7 +550,7 @@ def test_users_and_groups_non_readable_by_guests(self): with self.repo.internal_cnx() as cnx: admineid = cnx.execute('CWUser U WHERE U login "admin"').rows[0][0] - with self.new_access('anon').repo_cnx() as cnx: + with self.new_access(u'anon').repo_cnx() as cnx: anon = cnx.user # anonymous user can only read itself rset = cnx.execute('Any L WHERE X owned_by U, U login L') @@ -569,7 +569,7 @@ self.assertRaises(Unauthorized, cnx.commit) def test_in_group_relation(self): - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: rql = u"DELETE U in_group G WHERE U login 'admin'" self.assertRaises(Unauthorized, cnx.execute, rql) rql = u"SET U in_group G WHERE U login 'admin', G name 'users'" @@ -579,7 +579,7 @@ with self.admin_access.repo_cnx() as cnx: cnx.execute("INSERT Personne X: X nom 'bidule'") cnx.commit() - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: rql = u"SET X owned_by U WHERE U login 'iaminusersgrouponly', X is Personne" self.assertRaises(Unauthorized, cnx.execute, rql) @@ -589,7 +589,7 @@ beid2 = cnx.execute('INSERT Bookmark B: B path "?vid=index", B title "index", ' 'B bookmarked_by U WHERE U login "anon"')[0][0] cnx.commit() - with self.new_access('anon').repo_cnx() as cnx: + with self.new_access(u'anon').repo_cnx() as cnx: anoneid = cnx.user.eid self.assertEqual(cnx.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,' 'B bookmarked_by U, U eid %s' % anoneid).rows, @@ -606,7 +606,7 @@ {'x': anoneid, 'b': beid1}) def test_ambigous_ordered(self): - with self.new_access('anon').repo_cnx() as cnx: + with self.new_access(u'anon').repo_cnx() as cnx: names = [t for t, in cnx.execute('Any N ORDERBY lower(N) WHERE X name N')] self.assertEqual(names, sorted(names, key=lambda x: x.lower())) @@ -617,7 +617,7 @@ with self.admin_access.repo_cnx() as cnx: eid = cnx.execute('INSERT Affaire X: X ref "ARCT01"')[0][0] cnx.commit() - with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: + with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx: # needed to remove rql expr granting update perm to the user affschema = self.schema['Affaire'] with self.temporary_permissions(Affaire={'update': affschema.get_groups('update'), @@ -675,7 +675,7 @@ 'U use_email X WHERE U login "anon"').get_entity(0, 0) cnx.commit() self.assertEqual(len(cnx.execute('Any X WHERE X is EmailAddress')), 2) - with self.new_access('anon').repo_cnx() as cnx: + with self.new_access(u'anon').repo_cnx() as cnx: self.assertEqual(len(cnx.execute('Any X WHERE X is EmailAddress')), 1) if __name__ == '__main__':