Example #1
0
    def test_session(self):
        system.setup(os.path.expanduser('~'))
        db = system.db

        session = Session(system)

        #Create new session
        id = session.new_session()
        self.assert_(id!='Session error')
        session.MyName = 'Test'
        session.Message = 'This is a test session'
        session.Number = 123

        session.save_session(id)
        try:
            cmd = 'select * from dz_sessions where sesskey=%s'
            q = db(cmd, id)
            self.assertEqual(len(list(q)), 1)

            # Create new session object
            session2 = Session(system)

            # Load previously created session
            request.session_token = id
            session2.load_session()
            self.assertEqual(session2.Number,123)
            self.assertEqual(session2.MyName,'Test')
            self.assertEqual(session2.Message,'This is a test session')

        finally:
            session.destroy_session(id)

            cmd = 'select * from dz_sessions where sesskey=%s'
            q = db(cmd, id)
            self.assertEqual(len(list(q)), 0)
Example #2
0
    def test_session(self):
        system.setup(os.path.expanduser('~'))
        db = system.db

        session = Session(system)

        #Create new session
        id = session.new_session()
        self.assert_(id != 'Session error')
        session.MyName = 'Test'
        session.Message = 'This is a test session'
        session.Number = 123

        session.save_session(id)
        try:
            cmd = 'select * from dz_sessions where sesskey=%s'
            q = db(cmd, id)
            self.assertEqual(len(list(q)), 1)

            # Create new session object
            session2 = Session(system)

            # Load previously created session
            request.session_token = id
            session2.load_session()
            self.assertEqual(session2.Number, 123)
            self.assertEqual(session2.MyName, 'Test')
            self.assertEqual(session2.Message, 'This is a test session')

        finally:
            session.destroy_session(id)

            cmd = 'select * from dz_sessions where sesskey=%s'
            q = db(cmd, id)
            self.assertEqual(len(list(q)), 0)
Example #3
0
    def setUp(self):
        # setup the system and install our own test database
        system.setup(os.path.expanduser('~'))

        user.initialize('guest')
        user.groups = ['managers']
        params = dict(
            host='database',
            user='******',
            passwd='password',
            db='test',
        )
        self.db = Database(MySQLdb.Connect, **params)
        self.db.autocommit(1)
        system.db = self.db

        # create the test collection
        self.collection = Collection('People', person_fields, Person, url='/myapp')

        # so we can see our print statements
        self.save_stdout = sys.stdout
        sys.stdout = sys.stderr
Example #4
0
    def setUp(self):
        params = dict(
            host='database',
            user='******',
            passwd='password',
            db='test',
        )

        now = datetime.datetime(2016, 10, 11, 13, 12, 1)

        self.db = Database(MySQLdb.Connect, **params)
        self.db.autocommit(1)

        # Setup users table
        # -------------------------------------------------
        self.db("DROP TABLE IF EXISTS `dz_users`")
        self.db("""
            CREATE TABLE `dz_users` (
              `userid` int(5) NOT NULL auto_increment,
              `loginid` char(50) default NULL,
              `password` varchar(125) default NULL,
              `firstname` char(40) default NULL,
              `lastname` char(40) default NULL,
              `email` char(60) default NULL,
              `phone` char(30) default NULL,
              `fax` char(30) default NULL,
              `dtupd` datetime default NULL,
              `dtadd` datetime default NULL,
              `status` char(1) default NULL,
              PRIMARY KEY  (`userid`),
              UNIQUE KEY `userid` (`loginid`),
              KEY `userid_2` (`loginid`),
              KEY `email` (`email`)
            ) ENGINE=MyISAM DEFAULT CHARSET=utf8;
        """)
        records = [
            ('admin', 'admin', 'Admin', 'User', 'A', now, now),
            ('manager1', 'pass1', 'Manager', 'One', 'A', now, now),
            ('user1', 'pass2', 'User', 'One', 'A', now, now),
            ('user2', 'pass3', 'User', 'Two', 'A', now, now),
        ]
        self.db.execute_many("""
            insert into dz_users
                (loginid, password, firstname, lastname, status, dtupd, dtadd)
                values 
                (%s, old_password(%s), %s, %s, %s, %s, %s)
        """, records)

        # Setup groups table
        # -------------------------------------------------
        self.db("DROP TABLE IF EXISTS `dz_groups`")
        self.db("""
                CREATE TABLE `dz_groups` (
                  `groupid` int(11) NOT NULL auto_increment,
                  `type` char(1) default NULL,
                  `name` char(20) default NULL,
                  `descr` char(60) default NULL,
                  `admin` char(20) default NULL,
                  PRIMARY KEY  (`groupid`),
                  UNIQUE KEY `name` (`name`),
                  KEY `name_2` (`name`)
               ) ENGINE=MyISAM DEFAULT CHARSET=utf8;
        """)
        records = [
            (1, 'U','administrators','System Administrators','administrators'),
            (2, 'U','users','Registered Users','administrators'),
            (3, 'U','guests','Guests','administrators'),
            (4, 'U','everyone','All users including guests','administrators'),
            (5, 'U','managers','Site Content Managers','administrators'),
        ]
        self.db.execute_many("""
            insert into dz_groups values (%s, %s, %s, %s, %s)
        """, records)

        # Setup members table
        # -------------------------------------------------
        self.db("DROP TABLE IF EXISTS `dz_members`")
        self.db("""
                CREATE TABLE `dz_members` (
                  `userid` int(11) default NULL,
                  `groupid` int(11) default NULL,
                  UNIQUE KEY `contactid_2` (`userid`,`groupid`),
                  KEY `contactid` (`userid`),
                  KEY `groupid` (`groupid`)
               ) ENGINE=MyISAM DEFAULT CHARSET=utf8;
        """)
        records = [
            # admins
            (1, 1),

            # users
            (1, 2),
            (2, 2),
            (3, 2),
            (4, 2),

            # managers
            (2, 5),
        ]
        self.db.execute_many("""
            insert into dz_members values (%s, %s)
        """, records)

        # Setup subgroups table
        # -------------------------------------------------
        self.db("DROP TABLE IF EXISTS `dz_subgroups`")
        self.db("""
                CREATE TABLE `dz_subgroups` (
                  `groupid` int(11) default NULL,
                  `subgroupid` int(11) default NULL,
                  UNIQUE KEY `groupid_2` (`groupid`,`subgroupid`),
                  KEY `groupid` (`groupid`),
                  KEY `subgroupid` (`subgroupid`)
               ) ENGINE=MyISAM DEFAULT CHARSET=utf8;
        """)
        records = [
            # admin
            (2, 1), # admins are subgroup of users
            (5, 1), # admins are subgroup of managers

            # users 
            (4, 2), # users are subgroup of everyone

            # guests 
            (4, 3), # guests are subgroup of everyone

            # Managers
            (2, 5), # managers are subgroup of users
        ]
        self.db.execute_many("""
            insert into dz_subgroups values (%s, %s)
        """, records)

        # setup the system and install our own test database
        system.setup(os.path.expanduser('~'))
        system.db = self.db
        system.users = UserStore(self.db)   # for authenticate method
        system.database = LegacyDatabase(MySQLdb.Connect, **params) # used by user.update_user, called by authenticate method
        system.database.autocommit(1)

        print self.db('select * from dz_users')
        print self.db('select * from dz_groups')
        print self.db('select * from dz_subgroups')
        print self.db('select * from dz_members')
Example #5
0
def generate_response(instance_path, start_time=None):
    """generate response to web request"""

    profiler = None
    debugging = True

    system_timer = SystemTimer(start_time)

    # capture stdout
    real_stdout = sys.stdout
    sys.stdout = StringIO.StringIO()
    try:
        try:
            # initialize context
            system.setup(instance_path, request.server, system_timer)
            system_timer.add('system initializated')

            user.setup()
            system_timer.add('user initializated')

            manager.setup()
            system_timer.add('manager initializated')

            if user.is_disabled:
                # we know who the user is, and their account is disabled
                msg = 'User {user.link} is disabled'
                raise UnauthorizedException(msg.format(user=user))

            debugging = (system.debugging or system.show_errors
                         or user.is_developer or user.is_administrator)

            session = system.session

            if system.track_visits:
                visited(request.subject, session.sid)

            csrf_token = data.pop('csrf_token', None)
            if request.method == 'POST' and system.csrf_validation:
                if csrf_token == session.csrf_token:
                    del session.csrf_token
                else:
                    msg = 'expected:%s got:%s' % (session.csrf_token,
                                                  csrf_token)
                    raise CrossSiteRequestForgeryAttempt(msg)

            requested_app_name = manager.requested_app_name()
            default_app_name = manager.default_app_name()

            os.chdir(system.config.sites_path)

            if not request.route:
                request.route.append(default_app_name)

            for app in manager.apps.values():
                app.initialize(request)

            if manager.can_run(requested_app_name):
                system.app = manager.get_app(requested_app_name)

                profiler = (system.profile or user.profile) \
                    and cProfile.Profile()
                if profiler:
                    profiler.enable()

                system_timer.add('app ready')

                response = system.app.run(request)

                system_timer.add('app returned')

                if profiler:
                    profiler.disable()

            elif manager.can_run_if_login(requested_app_name):
                # as it stands now, an attacker can generate a list of
                # enabled apps by iterating the/a namespace and seeing
                # which ones return a logon form.

                def referrer():
                    """get the referrer"""
                    uri = urllib.urlencode(dict(referrer=request.uri))
                    return uri and "?{}".format(uri) or ''

                response = redirect_to('/login{}'.format(referrer()))

            elif not requested_app_name:
                app = manager.get_app(default_app_name)
                if app:
                    system.app = app
                else:
                    raise Exception(default_app_name + ' app missing')
                response = system.app.run(request)

            elif manager.can_run(default_app_name):
                response = redirect_to('/')

            else:
                response = Page(PAGE_MISSING_MESSAGE).render()
                response.status = '404'

            timeout = session.save_session()
            set_session_cookie(
                response,
                session.sid,
                request.subject,
                timeout,
                system.secure_cookies,
            )

        except UnauthorizedException:
            logger.security('unauthorized access attempt')
            if debugging:
                raise
            else:
                response = Page(UNAUTHORIZED_MESSAGE).render()
                response.status = '403'

        except CrossSiteRequestForgeryAttempt:
            logger.security('cross site forgery attempt')
            if debugging:
                raise
            else:
                response = redirect_to('/')

        except SessionExpiredException:
            response = Page(
                load_template('system_application_session_expired',
                              SESSION_EXPIRED_MESSAGE)).render()

        except:
            t = htmlquote(traceback.format_exc())
            logger.error(t)
            if debugging:
                try:
                    tpl = load_template('system_application_error_developer',
                                        STANDARD_ERROR_MESSAGE)
                    msg = tpl % dict(message=t)
                except:
                    msg = SYSTEM_ERROR_MESSAGE % dict(message=t)
            else:
                try:
                    msg = load_template('system_application_error_user',
                                        FRIENDLY_ERROR_MESSAGE)
                except:
                    msg = FRIENDLY_ERROR_MESSAGE

            try:
                response = Page(msg).render()
            except:
                response = HTMLResponse(msg)

        if profiler:
            stats_s = StringIO.StringIO()
            sortby = 'cumulative'
            ps = pstats.Stats(profiler, stream=stats_s)
            ps.sort_stats(sortby)
            ps.print_stats(.1)
            t = stats_s.getvalue()
            t = t.replace(system.lib_path, '~zoom').replace(
                '/usr/lib/python2.7/dist-packages/',
                '~').replace('/usr/local/lib/python2.7/dist-packages/', '~')

            print(''.join([
                '\n\n  System Performance Metrics\n ' + '=' * 30,
                system_timer.report(),
                system.database.report(),
                system.db.report(), '  Profiler\n ------------\n', t
            ]))
    finally:
        printed_output = sys.stdout.getvalue()
        sys.stdout.close()
        sys.stdout = real_stdout
        logger.complete()

    system.release()

    if hasattr(response, 'printed_output'):
        response.printed_output = printed_output.replace('<', '&lt;').replace(
            '>', '&gt;')

    return response
Example #6
0
def generate_response(instance_path, start_time=None):
    """generate response to web request"""

    profiler = None
    debugging = True

    system_timer = SystemTimer(start_time)

    # capture stdout
    real_stdout = sys.stdout
    sys.stdout = StringIO.StringIO()
    try:
        try:
            # initialize context
            system.setup(instance_path, request.server, system_timer)
            system_timer.add('system initializated')

            user.setup()
            system_timer.add('user initializated')

            manager.setup()
            system_timer.add('manager initializated')

            if user.is_disabled:
                # we know who the user is, and their account is disabled
                msg = 'User {user.link} is disabled'
                raise UnauthorizedException(msg.format(user=user))

            debugging = (system.debugging or system.show_errors or
                         user.is_developer or user.is_administrator)

            session = system.session

            if system.track_visits:
                visited(request.subject, session.sid)

            csrf_token = data.pop('csrf_token', None)
            if request.method == 'POST' and system.csrf_validation:
                if csrf_token == session.csrf_token:
                    del session.csrf_token
                else:
                    msg = 'expected:%s got:%s' % (
                        session.csrf_token, csrf_token)
                    raise CrossSiteRequestForgeryAttempt(msg)

            requested_app_name = manager.requested_app_name()
            default_app_name = manager.default_app_name()

            os.chdir(system.config.sites_path)

            if not request.route:
                request.route.append(default_app_name)

            for app in manager.apps.values():
                app.initialize(request)

            if manager.can_run(requested_app_name):
                system.app = manager.get_app(requested_app_name)

                profiler = (system.profile or user.profile) \
                    and cProfile.Profile()
                if profiler:
                    profiler.enable()

                system_timer.add('app ready')

                response = system.app.run(request)

                system_timer.add('app returned')

                if profiler:
                    profiler.disable()

            elif manager.can_run_if_login(requested_app_name):
                # as it stands now, an attacker can generate a list of
                # enabled apps by iterating the/a namespace and seeing
                # which ones return a logon form.

                def referrer():
                    """get the referrer"""
                    uri = urllib.urlencode(dict(referrer=request.uri))
                    return uri and "?{}".format(uri) or ''
                response = redirect_to('/login{}'.format(referrer()))

            elif not requested_app_name:
                app = manager.get_app(default_app_name)
                if app:
                    system.app = app
                else:
                    raise Exception(default_app_name + ' app missing')
                response = system.app.run(request)

            elif manager.can_run(default_app_name):
                response = redirect_to('/')

            else:
                response = Page(PAGE_MISSING_MESSAGE).render()
                response.status = '404'

            timeout = session.save_session()
            set_session_cookie(
                response,
                session.sid,
                request.subject,
                timeout,
                system.secure_cookies,
            )

        except UnauthorizedException:
            logger.security('unauthorized access attempt')
            if debugging:
                raise
            else:
                response = Page(UNAUTHORIZED_MESSAGE).render()
                response.status = '403'

        except CrossSiteRequestForgeryAttempt:
            logger.security('cross site forgery attempt')
            if debugging:
                raise
            else:
                response = redirect_to('/')

        except SessionExpiredException:
            response = Page(load_template(
                'system_application_session_expired',
                SESSION_EXPIRED_MESSAGE)).render()

        except:
            t = htmlquote(traceback.format_exc())
            logger.error(t)
            if debugging:
                try:
                    tpl = load_template(
                        'system_application_error_developer',
                        STANDARD_ERROR_MESSAGE)
                    msg = tpl % dict(message=t)
                except:
                    msg = SYSTEM_ERROR_MESSAGE % dict(message=t)
            else:
                try:
                    msg = load_template(
                        'system_application_error_user',
                        FRIENDLY_ERROR_MESSAGE
                    )
                except:
                    msg = FRIENDLY_ERROR_MESSAGE

            try:
                response = Page(msg).render()
            except:
                response = HTMLResponse(msg)

        if profiler:
            stats_s = StringIO.StringIO()
            sortby = 'cumulative'
            ps = pstats.Stats(profiler, stream=stats_s)
            ps.sort_stats(sortby)
            ps.print_stats(.1)
            t = stats_s.getvalue()
            t = t.replace(
                system.lib_path, '~zoom'
            ).replace(
                '/usr/lib/python2.7/dist-packages/',
                '~'
            ).replace(
                '/usr/local/lib/python2.7/dist-packages/',
                '~'
            )

            print(''.join([
                '\n\n  System Performance Metrics\n ' + '=' * 30,
                system_timer.report(),
                system.database.report(),
                system.db.report(),
                '  Profiler\n ------------\n',
                t
            ]))
    finally:
        printed_output = sys.stdout.getvalue()
        sys.stdout.close()
        sys.stdout = real_stdout
        logger.complete()

    system.release()

    if hasattr(response, 'printed_output'):
        response.printed_output = printed_output.replace(
            '<', '&lt;'
            ).replace(
            '>', '&gt;'
            )

    return response