def test_single_user_nonsuperadmin(self):
"""
a user is allowed to receive information of an arbitrary user, if he
has ACCESS_READ in the user2user table.
"""
db = self.ccd._db.conn
# user that requests the information. needs ACCESS_READ
user = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user.uid, 3)
add_user2user(db, user.uid, 3) # ACCESS_READ
valid_sid = self.ccd._assign_user_a_session(user).sid
# user to request for information
user_to_request = create_user(db, str(getRandomBytes()))
create_workgroup(db, "newworkgroup", user_to_request.uid, 3)
payload = {"uid": user_to_request.uid}
res = show_user(self.ccd, valid_sid, payload)[0]
try:
self.assertEqual(res["uid"], user_to_request.uid)
self.assertEqual(res["name"], user_to_request.name)
self.assertEqual(res["mail"], user_to_request.mail)
self.assertEqual(res["description"], user_to_request.description)
finally:
user.delete(db)
user_to_request.delete(db)
wg.delete(db)
def test_permission_denied(self):
"""
verify that a non-superdmin user, who has no ACCESS_WRITE is not
allowed to modify a user
"""
db = self.ccd._db.conn
# first we create that new user
uid = create_user(db, str(getRandomBytes())).uid
# create a user and a workgroup w/o ACCESS_ADD in
# user2users table
user = create_user(db, str(getRandomBytes()))
create_workgroup(db, "newworkgroup", user.uid, 3)
add_user2user(db, user.uid, 4) # NO ACCESS_WRITE
valid_sid = self.ccd._assign_user_a_session(user).sid
# second, we update this user
name2 = str(getRandomBytes())
mail2 = "mymail%d" % random.randrange(1000, 9999)
description2 = "mydescription%d" % random.randrange(1000, 9999)
update_pld = {
"uid": uid,
"name": name2,
"mail": mail2,
"description": description2
}
self.assertRaises(PermissionDenied, update_user, self.ccd, valid_sid,
update_pld)
def test_rename_user_with_existing_username(self):
"""
renaming a user to a name of an existing user should raise an exception
"""
db = self.ccd._db.conn
valid_sid = self.session.sid
# this is the user that we try to rename as
name1 = str(getRandomBytes())
create_user(db, name1).uid
# this is the user that we want to rename
name2 = str(getRandomBytes())
uid2 = create_user(db, name2).uid
# now renanme user2 with the name of user1
update_pld = {
"uid": uid2,
"name": name1,
"mail": "foo",
"description": "bar"
}
self.assertRaises(AlreadyExistingError, update_user, self.ccd,
valid_sid, update_pld)
def test_superadmin(self):
""" verify that the superadmin is able to update users """
valid_sid = self.session.sid
name = str(getRandomBytes())
add_pld = {
"name": name,
"mail": "mail@mynewuser",
"password": "******"
}
# first we create that new user
uid = new_user(self.ccd, valid_sid, add_pld)
self.assertIsInstance(uid, int)
# second, we update this user
name2 = str(getRandomBytes())
mail2 = "mymail%d" % random.randrange(1000, 9999)
description2 = "mydescription%d" % random.randrange(1000, 9999)
update_pld = {
"uid": uid,
"name": name2,
"mail": mail2,
"description": description2
}
self.assertIsNone(update_user(self.ccd, valid_sid, update_pld))
# third, we verify that the changed data is written to database
user = User.by_uid(self.ccd._db.conn, uid)
self.assertEqual(user.name, name2)
self.assertEqual(user.mail, mail2)
self.assertEqual(user.description, description2)
def test_single_user_permission_denied(self):
"""
a user that is not superadmin and has no ACCESS_READ must fail reading
user information (of user that are not the user ifself). it must be
raised a permission denied exceperion. Note. every role includes
ACCESS_READ by default, hence the user that requests the information
must no be in user2user table.
"""
db = self.ccd._db.conn
# user that requests the information. needs ACCESS_READ
user = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user.uid, 3)
valid_sid = self.ccd._assign_user_a_session(user).sid
# user to request for information
user_to_request = create_user(db, str(getRandomBytes()))
create_workgroup(db, "newworkgroup", user_to_request.uid, 3)
payload = {"uid": user_to_request.uid}
try:
self.assertRaises(PermissionDenied,
show_user,
self.ccd,
valid_sid,
payload)
finally:
user.delete(db)
user_to_request.delete(db)
wg.delete(db)
def test_all_user_permission_denied(self):
"""
a user that is not superadmin and has no ACCESS_READ must fail reading
user information (of user that are not the user ifself). it must be
raised a permission denied exception
"""
db = self.ccd._db.conn
# user that requests the information. needs ACCESS_READ
user = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user.uid, 3)
valid_sid = self.ccd._assign_user_a_session(user).sid
# user to request for information
user_to_request = create_user(db, str(getRandomBytes()))
create_workgroup(db, "newworkgroup", user_to_request.uid, 3)
# set None to request all users
payload = {"uid": None}
try:
self.assertRaises(PermissionDenied,
show_user,
self.ccd,
valid_sid,
payload)
finally:
user.delete(db)
user_to_request.delete(db)
wg.delete(db)
def test_single_user_permission_denied(self):
"""
a user that is not superadmin and has no ACCESS_READ must fail reading
user information (of user that are not the user ifself). it must be
raised a permission denied exceperion. Note. every role includes
ACCESS_READ by default, hence the user that requests the information
must no be in user2user table.
"""
db = self.ccd._db.conn
# user that requests the information. needs ACCESS_READ
user = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user.uid, 3)
valid_sid = self.ccd._assign_user_a_session(user).sid
# user to request for information
user_to_request = create_user(db, str(getRandomBytes()))
create_workgroup(db, "newworkgroup", user_to_request.uid, 3)
payload = {"uid": user_to_request.uid}
try:
self.assertRaises(PermissionDenied, show_user, self.ccd, valid_sid,
payload)
finally:
user.delete(db)
user_to_request.delete(db)
wg.delete(db)
def test_addpermission(self):
"""
verify that a user with ACCESS_ADD in user2user table is able to
create new users. note: this user must not be the superadmin.
"""
db = self.ccd._db.conn
# create a user and a workgroup. give the user ACCESS_ADD in
# user2users table
user = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user.uid, 2)
del_user2user(db, user.uid)
add_user2user(db, user.uid, 2) # ACCESS_ADD
valid_sid = self.ccd._assign_user_a_session(user).sid
# create user
name = str(getRandomBytes())
valid_pld = {"name": name,
"mail": "mail@mynewuser",
"password": "******"}
# first we create that new user
uid = new_user(self.ccd, valid_sid, valid_pld)
self.assertIsInstance(uid, int)
# second, we check for the user to be in the database
user2 = User.by_name(self.ccd._db.conn, name)
try:
self.assertEqual(uid, user2.uid)
finally:
# delete them, since they are not needed anymore
user2.delete(db)
user.delete(db)
wg.delete(db)
def test_all_user_permission_denied(self):
"""
a user that is not superadmin and has no ACCESS_READ must fail reading
user information (of user that are not the user ifself). it must be
raised a permission denied exception
"""
db = self.ccd._db.conn
# user that requests the information. needs ACCESS_READ
user = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user.uid, 3)
valid_sid = self.ccd._assign_user_a_session(user).sid
# user to request for information
user_to_request = create_user(db, str(getRandomBytes()))
create_workgroup(db, "newworkgroup", user_to_request.uid, 3)
# set None to request all users
payload = {"uid": None}
try:
self.assertRaises(PermissionDenied, show_user, self.ccd, valid_sid,
payload)
finally:
user.delete(db)
user_to_request.delete(db)
wg.delete(db)
def test_permission_denied(self):
"""
if the user is no superadmin and has no ACCESS_ADD a
permissionDenied exception is raised
"""
db = self.ccd._db.conn
user = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user.uid, 3)
add_user2user(db, user.uid, 3) # no ACCESS_ADD
valid_sid = self.ccd._assign_user_a_session(user).sid
# create user
name = str(getRandomBytes())
valid_pld = {"name": name,
"mail": "mail@mynewuser",
"password": "******"}
try:
self.assertRaises(PermissionDenied,
new_user,
self.ccd,
valid_sid,
valid_pld)
finally:
user.delete(db)
wg.delete(db)
def test_single_user_nonsuperadmin(self):
"""
a user is allowed to receive information of an arbitrary user, if he
has ACCESS_READ in the user2user table.
"""
db = self.ccd._db.conn
# user that requests the information. needs ACCESS_READ
user = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user.uid, 3)
add_user2user(db, user.uid, 3) # ACCESS_READ
valid_sid = self.ccd._assign_user_a_session(user).sid
# user to request for information
user_to_request = create_user(db, str(getRandomBytes()))
create_workgroup(db, "newworkgroup", user_to_request.uid, 3)
payload = {"uid": user_to_request.uid}
res = show_user(self.ccd, valid_sid, payload)[0]
try:
self.assertEqual(res["uid"], user_to_request.uid)
self.assertEqual(res["name"], user_to_request.name)
self.assertEqual(res["mail"], user_to_request.mail)
self.assertEqual(res["description"], user_to_request.description)
finally:
user.delete(db)
user_to_request.delete(db)
wg.delete(db)
def test_permission_denied(self):
"""
if the user is no superadmin and has no ACCESS_ADD a
permissionDenied exception is raised
"""
db = self.ccd._db.conn
user = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user.uid, 3)
add_user2user(db, user.uid, 3) # no ACCESS_ADD
valid_sid = self.ccd._assign_user_a_session(user).sid
# create user
name = str(getRandomBytes())
valid_pld = {
"name": name,
"mail": "mail@mynewuser",
"password": "******"
}
try:
self.assertRaises(PermissionDenied, new_user, self.ccd, valid_sid,
valid_pld)
finally:
user.delete(db)
wg.delete(db)
def test_delpermission(self):
"""
verify that a user with ACCESS_DEL in user2user table is able to
delete users. note: this user must not be the superadmin.
"""
db = self.ccd._db.conn
# create a user and a workgroup. give the user ACCESS_ADD in
# user2users table
user = create_user(db, str(random.randrange(1000,9999)))
wg = create_workgroup(db, "newworkgroup", user.uid, 2)
add_user2user(db, user.uid, 2) # ACCESS_DEL
valid_sid = self.ccd._assign_user_a_session(user).sid
# create user
name = str(getRandomBytes())
valid_pld = {"name": name,
"mail": "mail@mynewuser",
"password": "******"}
# first we create that new user
uid = new_user(self.ccd, valid_sid, valid_pld)
self.assertIsInstance(uid, int)
# second, we delete that user
del_pld = {"uid": uid}
self.assertIsNone(delete_user(self.ccd, valid_sid, del_pld))
user.delete(db)
wg.delete(db)
def test_project_user_superadmin(self):
"""
using pid instead of uid in payload should return user in
corresponding project
"""
db = self.ccd._db.conn
# user that requests the information. needs ACCESS_READ
valid_sid = self.session.sid
# create users
users = []
for i in range(10):
user = create_user(db, str(getRandomBytes()))
create_workgroup(db, "newworkgroup", user.uid, 3)
users.append(user)
# add users to projects
for u in users:
proj = create_project(db, "test_project_user_superadmin", u, 3)
# set None to request all users
payload = {"pid": proj.pid}
res = show_user(self.ccd, valid_sid, payload)
try:
self.assertUsersInProject(res, users)
finally:
proj.delete(db)
for u in users:
u.delete(db)
def test_all_user_nonsuperadmin(self):
"""
a user is allowed to receive information of a user, if he has
ACCESS_READ in the user2user table.
"""
db = self.ccd._db.conn
# user that requests the information. needs ACCESS_READ
user = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user.uid, 3)
add_user2user(db, user.uid, 3) # ACCESS_READ
valid_sid = self.ccd._assign_user_a_session(user).sid
# set None to request all users
payload = {"uid": None}
res = show_user(self.ccd, valid_sid, payload)
meta, conn = db
tbl = meta.tables[tbl_users]
with conn.begin():
sel = tbl.select().where(tbl.c.deleted == False)
users = conn.execute(sel).fetchall()
try:
self.assertEqualResolution(res, users)
finally:
user.delete(db)
wg.delete(db)
def test_single_user_superadmin(self):
"""
the superadmin is allowed to receive information of an existing user.
"""
db = self.ccd._db.conn
# user that requests the information. needs ACCESS_READ
valid_sid = self.session.sid
# user to request for information
user_to_request = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user_to_request.uid, 3)
payload = {"uid": user_to_request.uid}
res = show_user(self.ccd, valid_sid, payload)[0]
try:
self.assertEqual(res["uid"], user_to_request.uid)
self.assertEqual(res["name"], user_to_request.name)
self.assertEqual(res["mail"], user_to_request.mail)
self.assertEqual(res["description"], user_to_request.description)
finally:
user_to_request.delete(db)
wg.delete(db)
def __get_project_db_creds(dbconn, dbname, n=10, privilege="SELECT"):
""" Creates a new user for the project database. Grant set privileges
to the new user..
input:
dbconn A database connection that is used to create the new
postgresl user.
dbname Name of the project's database.
n Length of the password.
privilege Privileges to grant. Default is 'SELECT' (read).
output:
username The new username to connect with.
password The new password to connect with.
"""
logger.debug("creating db credentials..")
username = "******" % dbname
password = ccdCrypto.getRandomBytes(n)
logger.debug('Created %s with %s (priv: %s)', username, password,
repr(privilege))
with dbconn.begin():
#TODO sha1 hash of password
create = "CREATE USER {user} WITH PASSWORD '{pwd}';".format(
user=username, pwd=password)
dbconn.execute(create)
__grant_project_db_priv(dbconn, username, privilege=privilege)
return username, password
def test_single_user_nonexisting(self):
"""
requesting a non-existing user should fail
"""
db = self.ccd._db.conn
# user that requests the information. needs ACCESS_READ
valid_sid = self.session.sid
# user to request for information
user_to_request = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user_to_request.uid, 3)
payload = {"uid": -1}
try:
self.assertRaises(NotFoundError,
show_user,
self.ccd,
valid_sid,
payload)
finally:
user_to_request.delete(db)
wg.delete(db)
def test_delpermission(self):
"""
verify that a user with ACCESS_DEL in user2user table is able to
delete users. note: this user must not be the superadmin.
"""
db = self.ccd._db.conn
# create a user and a workgroup. give the user ACCESS_ADD in
# user2users table
user = create_user(db, str(random.randrange(1000, 9999)))
wg = create_workgroup(db, "newworkgroup", user.uid, 2)
add_user2user(db, user.uid, 2) # ACCESS_DEL
valid_sid = self.ccd._assign_user_a_session(user).sid
# create user
name = str(getRandomBytes())
valid_pld = {
"name": name,
"mail": "mail@mynewuser",
"password": "******"
}
# first we create that new user
uid = new_user(self.ccd, valid_sid, valid_pld)
self.assertIsInstance(uid, int)
# second, we delete that user
del_pld = {"uid": uid}
self.assertIsNone(delete_user(self.ccd, valid_sid, del_pld))
user.delete(db)
wg.delete(db)
def test_all_user_nonsuperadmin(self):
"""
a user is allowed to receive information of a user, if he has
ACCESS_READ in the user2user table.
"""
db = self.ccd._db.conn
# user that requests the information. needs ACCESS_READ
user = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user.uid, 3)
add_user2user(db, user.uid, 3) # ACCESS_READ
valid_sid = self.ccd._assign_user_a_session(user).sid
# set None to request all users
payload = {"uid": None}
res = show_user(self.ccd, valid_sid, payload)
meta, conn = db
tbl = meta.tables[tbl_users]
with conn.begin():
sel = tbl.select().where(tbl.c.deleted==False)
users = conn.execute(sel).fetchall()
try:
self.assertEqualResolution(res, users)
finally:
user.delete(db)
wg.delete(db)
def test_name_characters(self):
"""
a name that contains other characters except for a-zA-Z0-9 should
raise an database.ccdErrors.InputError with message 'Invalid username'
"""
valid_sid = self.session.sid
name = str(getRandomBytes())
add_pld = {
"name": name,
"mail": "mail@mynewuser",
"password": "******"
}
# first we create that new user
uid = new_user(self.ccd, valid_sid, add_pld)
self.assertIsInstance(uid, int)
invalid_pld = {
"uid": uid,
"name": "$!YM=!)(>x)",
"mail": "mail@mynewuser",
"password": "******"
}
self.assertRaisesRegexp(InputError, "Invalid username", update_user,
self.ccd, valid_sid, invalid_pld)
def __get_project_db_creds(dbconn, dbname, n=10, privilege="SELECT"):
""" Creates a new user for the project database. Grant set privileges
to the new user..
input:
dbconn A database connection that is used to create the new
postgresl user.
dbname Name of the project's database.
n Length of the password.
privilege Privileges to grant. Default is 'SELECT' (read).
output:
username The new username to connect with.
password The new password to connect with.
"""
logger.debug("creating db credentials..")
username = "******" % dbname
password = ccdCrypto.getRandomBytes(n)
logger.debug('Created %s with %s (priv: %s)',
username, password, repr(privilege))
with dbconn.begin():
#TODO sha1 hash of password
create = "CREATE USER {user} WITH PASSWORD '{pwd}';".format(
user=username,
pwd=password
)
dbconn.execute(create)
__grant_project_db_priv(dbconn, username, privilege=privilege)
return username, password
def test_single_user_superadmin(self):
"""
the superadmin is allowed to receive information of an existing user.
"""
db = self.ccd._db.conn
# user that requests the information. needs ACCESS_READ
valid_sid = self.session.sid
# user to request for information
user_to_request = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user_to_request.uid, 3)
payload = {"uid": user_to_request.uid}
res = show_user(self.ccd, valid_sid, payload)[0]
try:
self.assertEqual(res["uid"], user_to_request.uid)
self.assertEqual(res["name"], user_to_request.name)
self.assertEqual(res["mail"], user_to_request.mail)
self.assertEqual(res["description"], user_to_request.description)
finally:
user_to_request.delete(db)
wg.delete(db)
def test_invalid_sid(self):
""" withough valid session id an error must be raised """
valid_sid = self.session.sid
name = str(getRandomBytes())
password = "******"
add_pld = {"name": name,
"mail": "mail@mynewuser",
"password": password}
# first we create that new user
uid = new_user(self.ccd, valid_sid, add_pld)
self.assertIsInstance(uid, int)
# second, we update this user with an invalid sessin id
password2 = "mypassword2"
update_pld = {"uid": uid,
"old": password,
"new": password2
}
invalid_sid = "AAA"
self.assertRaises(InvalidSessionID,
update_user_passwd,
self.ccd,
invalid_sid,
update_pld)
def test_project_user_superadmin(self):
"""
using pid instead of uid in payload should return user in
corresponding project
"""
db = self.ccd._db.conn
# user that requests the information. needs ACCESS_READ
valid_sid = self.session.sid
# create users
users = []
for i in range(10):
user = create_user(db, str(getRandomBytes()))
create_workgroup(db, "newworkgroup", user.uid, 3)
users.append(user)
# add users to projects
for u in users:
proj = create_project(db, "test_project_user_superadmin", u, 3)
# set None to request all users
payload = {"pid": proj.pid}
res = show_user(self.ccd, valid_sid, payload)
try:
self.assertUsersInProject(res, users)
finally:
proj.delete(db)
for u in users:
u.delete(db)
def test_project_user_owner(self):
"""
the project owner is able to request the users within its project
"""
db = self.ccd._db.conn
users = []
# user that requests the information is creator of the new project
owner = create_user(db, "owner_%s" % str(getRandomBytes()))
create_workgroup(db, "newworkgroup", owner.uid, 3)
creator = create_user(db, "creator_%s" % str(getRandomBytes()))
create_workgroup(db, "newworkgroup", creator.uid, 3)
proj = Project.create_fromname(
db,
"test_project_user_creator",
creator, # creator
owner, # owner
1, # type id
"my project" #description
)
valid_sid = self.ccd._assign_user_a_session(owner).sid
# create users
for i in range(10):
u = create_user(db, str(getRandomBytes()))
create_workgroup(db, "newworkgroup", u.uid, 3)
users.append(u)
# add users to project
for u in users:
create_project(db, "test_project_user_creator", u, 3)
# set None to request all users
payload = {"pid": proj.pid}
res = show_user(self.ccd, valid_sid, payload)
try:
self.assertUsersInProject(res, users)
finally:
proj.delete(db)
for u in users:
u.delete(db)
creator.delete(db)
owner.delete(db)
def test_project_user_owner(self):
"""
the project owner is able to request the users within its project
"""
db = self.ccd._db.conn
users = []
# user that requests the information is creator of the new project
owner = create_user(db, "owner_%s" % str(getRandomBytes()))
create_workgroup(db, "newworkgroup", owner.uid, 3)
creator = create_user(db, "creator_%s" % str(getRandomBytes()))
create_workgroup(db, "newworkgroup", creator.uid, 3)
proj = Project.create_fromname(
db,
"test_project_user_creator",
creator, # creator
owner, # owner
1, # type id
"my project" #description
)
valid_sid = self.ccd._assign_user_a_session(owner).sid
# create users
for i in range(10):
u = create_user(db, str(getRandomBytes()))
create_workgroup(db, "newworkgroup", u.uid, 3)
users.append(u)
# add users to project
for u in users:
create_project(db, "test_project_user_creator", u, 3)
# set None to request all users
payload = {"pid": proj.pid}
res = show_user(self.ccd, valid_sid, payload)
try:
self.assertUsersInProject(res, users)
finally:
proj.delete(db)
for u in users:
u.delete(db)
creator.delete(db)
owner.delete(db)
def test_missing_password(self):
"""
a missing password should raise a InputError with a message 'Invalid
payload format!'
"""
name = str(getRandomBytes())
invalid_pld = {"name": name, "mail": "mail@mynewuser"}
self.assertInvalidPayload(invalid_pld)
def test_missing_password(self):
"""
a missing password should raise a InputError with a message 'Invalid
payload format!'
"""
name = str(getRandomBytes())
invalid_pld = {"name": name,
"mail": "mail@mynewuser"}
self.assertInvalidPayload(invalid_pld)
def test_write_permission(self):
"""
verify that a user, with ACCESS_WRITE in user2users-table is able
to update an existing user.
"""
db = self.ccd._db.conn
# create a user and a workgroup. give the user ACCESS_ADD in
# user2users table
user = create_user(db, str(getRandomBytes()))
create_workgroup(db, "newworkgroup", user.uid, 2)
add_user2user(db, user.uid, 2) # ACCESS_WRITE
valid_sid = self.ccd._assign_user_a_session(user).sid
# first we create that new user
name = str(getRandomBytes())
add_pld = {
"name": name,
"mail": "mail@mynewuser",
"password": "******"
}
uid = new_user(self.ccd, valid_sid, add_pld)
self.assertIsInstance(uid, int)
# second, we update this user
name2 = str(getRandomBytes())
mail2 = "mymail%d" % random.randrange(1000, 9999)
description2 = "mydescription%d" % random.randrange(1000, 9999)
update_pld = {
"uid": uid,
"name": name2,
"mail": mail2,
"description": description2
}
self.assertIsNone(update_user(self.ccd, valid_sid, update_pld))
# third, we verify that the changed data is written to database
user = User.by_uid(self.ccd._db.conn, uid)
self.assertEqual(user.name, name2)
self.assertEqual(user.mail, mail2)
self.assertEqual(user.description, description2)
def test_password_length(self):
"""
a password that exceeds database.ccddb.MAX_LEN_PASSWORD should raise an
database.ccdErrors.InputError with a message 'Password exceeds limit!'
"""
name = str(getRandomBytes())
invalid_pld = {"name": name,
"mail": "mail@mynewuser",
"password": "******" * (MAX_LEN_PASSWORD+1)}
self.assertExceedsLimit(invalid_pld, "Password")
def test_mail_length(self):
"""
a mail that exceeds database.ccddb.MAX_LEN_MAIL should raise an
database.ccdErrors.InputError with a message 'Mail exceeds limit!'
"""
name = str(getRandomBytes())
invalid_pld = {"name": name,
"mail": "A" * (MAX_LEN_MAIL+1),
"password": "******"}
self.assertExceedsLimit(invalid_pld, "Mail")
def test_description_length(self):
"""
a description that exceeds database.ccddb.MAX_LEN_DESC should raise an
database.ccdErrors.InputError with a message 'Desc exceeds limit!'
"""
name = str(getRandomBytes())
invalid_pld = {"name": name,
"mail": "mail@mynewuser",
"password": "******",
"description": "A" * (MAX_LEN_DESC+1)}
self.assertExceedsLimit(invalid_pld, "Desc")
def setup_plugin_fd(ccd, sid, rid, args):
""" Returns the new stdout/stdin. The new fd is named after some
random bla. Further, the fd is stored in db with some additional
information like user that started the plugin and command that
issued the execution.
input:
sid session id
args arguments that were passed with OP_EXEC
output:
fd new fd name
fid database id of the fd in db
"""
logger.debug("setting forwarder for plugin")
fd_out = "/dev/null"
fd_in = "/dev/null"
fid = -1
uid = ccd.get_user_and_workgroup(sid)[0].uid
command = "%s %s" % (ccd.current_plugin.name, " ".join(args))
plg_id = ccd.current_plugin.id
# get directory for client io files
fd_dir = get_fd_dir(ccd, sid, plg_id)
# random name for new stdout/stdin
fd = os.path.join(
fd_dir,
ccdCrypto.getRandomBytes(16))
# create new stdout
fd_out = os.path.join(fd_dir, fd + "_out")
# create the output fifo
os.mkfifo(fd_out)
logger.debug('Output Fifo created: %s', fd_out)
# create new stdin
if ccd.current_plugin.interactive:
fd_in = os.path.join(fd_dir, fd + "_in")
# create the input fifo
os.mkfifo(fd_in)
logger.debug('Input Fifo created: %s', fd_in)
# store created fds in database
fid = ccddb.storeFd(ccd._db.conn, fd_out, fd_in, uid, command, plg_id, rid)
logger.debug("fid=%d", fid)
return fd_out, fd_in, fid
def test_description_length(self):
"""
a description that exceeds database.ccddb.MAX_LEN_DESC should raise an
database.ccdErrors.InputError with a message 'Desc exceeds limit!'
"""
name = str(getRandomBytes())
invalid_pld = {
"name": name,
"mail": "mail@mynewuser",
"description": "A" * (MAX_LEN_DESC + 1)
}
self.assertExceedsLimit(invalid_pld, "Desc")
def test_mail_length(self):
"""
a mail that exceeds database.ccddb.MAX_LEN_MAIL should raise an
database.ccdErrors.InputError with a message 'Mail exceeds limit!'
"""
name = str(getRandomBytes())
invalid_pld = {
"name": name,
"mail": "A" * (MAX_LEN_MAIL + 1),
"password": "******"
}
self.assertExceedsLimit(invalid_pld, "Mail")
def test_password_length(self):
"""
a password that exceeds database.ccddb.MAX_LEN_PASSWORD should raise an
database.ccdErrors.InputError with a message 'Password exceeds limit!'
"""
name = str(getRandomBytes())
invalid_pld = {
"name": name,
"mail": "mail@mynewuser",
"password": "******" * (MAX_LEN_PASSWORD + 1)
}
self.assertExceedsLimit(invalid_pld, "Password")
def test_addpermission(self):
"""
verify that a user with ACCESS_ADD in user2user table is able to
create new users. note: this user must not be the superadmin.
"""
db = self.ccd._db.conn
# create a user and a workgroup. give the user ACCESS_ADD in
# user2users table
user = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user.uid, 2)
del_user2user(db, user.uid)
add_user2user(db, user.uid, 2) # ACCESS_ADD
valid_sid = self.ccd._assign_user_a_session(user).sid
# create user
name = str(getRandomBytes())
valid_pld = {
"name": name,
"mail": "mail@mynewuser",
"password": "******"
}
# first we create that new user
uid = new_user(self.ccd, valid_sid, valid_pld)
self.assertIsInstance(uid, int)
# second, we check for the user to be in the database
user2 = User.by_name(self.ccd._db.conn, name)
try:
self.assertEqual(uid, user2.uid)
finally:
# delete them, since they are not needed anymore
user2.delete(db)
user.delete(db)
wg.delete(db)
def test_superadmin(self):
""" verify that the superadmin is able to create users"""
valid_sid = self.session.sid
name = str(getRandomBytes())
valid_pld = {"name": name,
"mail": "mail@mynewuser",
"password": "******"}
# first we create that new user
uid = new_user(self.ccd, valid_sid, valid_pld)
self.assertIsInstance(uid, int)
# second, we check for the user to be in the database
uid2 = User.by_name(self.ccd._db.conn, name).uid
self.assertEqual(uid, uid2)
def test_non_existing_user(self):
""" updating a non existing user should raise a NotFoundError """
valid_sid = self.session.sid
name = str(getRandomBytes())
mail = "mymail%d" % random.randrange(1000, 9999)
description = "mydescription%d" % random.randrange(1000, 9999)
update_pld = {
"uid": random.randrange(10000, 99999) * -1,
"name": name,
"mail": mail,
"description": description
}
self.assertRaises(NotFoundError, update_user, self.ccd, valid_sid,
update_pld)
def test_superadmin(self):
""" verify that the superadmin is able to delete users"""
valid_sid = self.session.sid
name = str(getRandomBytes())
add_pld = {"name": name,
"mail": "mail@mynewuser",
"password": "******"}
# first we create that new user
uid = new_user(self.ccd, valid_sid, add_pld)
self.assertIsInstance(uid, int)
# second, we delete the user
del_pld = {"uid": uid}
self.assertIsNone(delete_user(self.ccd, valid_sid, del_pld))
def setup_plugin_fd(ccd, sid, rid, args):
""" Returns the new stdout/stdin. The new fd is named after some
random bla. Further, the fd is stored in db with some additional
information like user that started the plugin and command that
issued the execution.
input:
sid session id
args arguments that were passed with OP_EXEC
output:
fd new fd name
fid database id of the fd in db
"""
logger.debug("setting forwarder for plugin")
fd_out = "/dev/null"
fd_in = "/dev/null"
fid = -1
uid = ccd.get_user_and_workgroup(sid)[0].uid
command = "%s %s" % (ccd.current_plugin.name, " ".join(args))
plg_id = ccd.current_plugin.id
# get directory for client io files
fd_dir = get_fd_dir(ccd, sid, plg_id)
# random name for new stdout/stdin
fd = os.path.join(fd_dir, ccdCrypto.getRandomBytes(16))
# create new stdout
fd_out = os.path.join(fd_dir, fd + "_out")
# create the output fifo
os.mkfifo(fd_out)
logger.debug('Output Fifo created: %s', fd_out)
# create new stdin
if ccd.current_plugin.interactive:
fd_in = os.path.join(fd_dir, fd + "_in")
# create the input fifo
os.mkfifo(fd_in)
logger.debug('Input Fifo created: %s', fd_in)
# store created fds in database
fid = ccddb.storeFd(ccd._db.conn, fd_out, fd_in, uid, command, plg_id, rid)
logger.debug("fid=%d", fid)
return fd_out, fd_in, fid
def test_superadmin(self):
""" verify that the superadmin is able to delete users"""
valid_sid = self.session.sid
name = str(getRandomBytes())
add_pld = {
"name": name,
"mail": "mail@mynewuser",
"password": "******"
}
# first we create that new user
uid = new_user(self.ccd, valid_sid, add_pld)
self.assertIsInstance(uid, int)
# second, we delete the user
del_pld = {"uid": uid}
self.assertIsNone(delete_user(self.ccd, valid_sid, del_pld))
def test_uid_noint(self):
""" verify that a non-int uid raises an InputError """
db = self.ccd._db.conn
valid_sid = self.session.sid
name1 = str(getRandomBytes())
create_user(db, name1).uid
update_pld = {
"uid": "foobar",
"name": "fubar",
"mail": "foo",
"description": "bar"
}
self.assertRaisesRegexp(InputError, "Invalid payload format!",
update_user, self.ccd, valid_sid, update_pld)
def test_superadmin(self):
""" verify that the superadmin is able to create users"""
valid_sid = self.session.sid
name = str(getRandomBytes())
valid_pld = {
"name": name,
"mail": "mail@mynewuser",
"password": "******"
}
# first we create that new user
uid = new_user(self.ccd, valid_sid, valid_pld)
self.assertIsInstance(uid, int)
# second, we check for the user to be in the database
uid2 = User.by_name(self.ccd._db.conn, name).uid
self.assertEqual(uid, uid2)
def test_single_user_itself(self):
"""
showing information of the user itself should work. the user is no
superadmin.
"""
db = self.ccd._db.conn
user = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user.uid, 3)
valid_sid = self.ccd._assign_user_a_session(user).sid
payload = {"uid": user.uid}
res = show_user(self.ccd, valid_sid, payload)[0]
try:
self.assertEqual(res["uid"], user.uid)
self.assertEqual(res["name"], user.name)
self.assertEqual(res["mail"], user.mail)
self.assertEqual(res["description"], user.description)
finally:
user.delete(db)
wg.delete(db)
def test_single_user_itself(self):
"""
showing information of the user itself should work. the user is no
superadmin.
"""
db = self.ccd._db.conn
user = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user.uid, 3)
valid_sid = self.ccd._assign_user_a_session(user).sid
payload = {"uid": user.uid}
res = show_user(self.ccd, valid_sid, payload)[0]
try:
self.assertEqual(res["uid"], user.uid)
self.assertEqual(res["name"], user.name)
self.assertEqual(res["mail"], user.mail)
self.assertEqual(res["description"], user.description)
finally:
user.delete(db)
wg.delete(db)
def test_single_user_nonexisting(self):
"""
requesting a non-existing user should fail
"""
db = self.ccd._db.conn
# user that requests the information. needs ACCESS_READ
valid_sid = self.session.sid
# user to request for information
user_to_request = create_user(db, str(getRandomBytes()))
wg = create_workgroup(db, "newworkgroup", user_to_request.uid, 3)
payload = {"uid": -1}
try:
self.assertRaises(NotFoundError, show_user, self.ccd, valid_sid,
payload)
finally:
user_to_request.delete(db)
wg.delete(db)
def test_permission_denied(self):
"""
verify that a non-superdmin user, who has no ACCESS_WRITE is not
allowed to modify a user
"""
db = self.ccd._db.conn
# create a user and a workgroup. give the user ACCESS_ADD in
# user2users table
user = create_user(db, str(random.randrange(1000, 9999)))
wg = create_workgroup(db, "newworkgroup", user.uid, 2)
add_user2user(db, user.uid, 3) # No ACCESS_WRITE
# create user
name = str(getRandomBytes())
password = "******"
valid_pld = {"name": name,
"mail": "mail@mynewuser",
"password": password}
# first we create that new user with SA session
uid = new_user(self.ccd, self.session.sid, valid_pld)
self.assertIsInstance(uid, int)
# second, we update this user with a user who has now allowance to do
# so
password2 = "mypassword2"
update_pld = {"uid": uid,
"old": password,
"new": password2
}
valid_sid = self.ccd._assign_user_a_session(user).sid
self.assertRaises(PermissionDenied,
update_user_passwd,
self.ccd,
valid_sid,
update_pld)
def test_missing_newpassword(self):
""" without providing a new password an InputError must be raised """
valid_sid = self.session.sid
name = str(getRandomBytes())
password = "******"
add_pld = {"name": name,
"mail": "mail@mynewuser",
"password": password}
# first we create that new user
uid = new_user(self.ccd, valid_sid, add_pld)
self.assertIsInstance(uid, int)
# second, we update this user
update_pld = {"uid": uid,
"old": password
}
self.assertRaisesRegexp(InputError,
"Invalid payload format!",
update_user_passwd,
self.ccd,
valid_sid,
update_pld)
def test_addpermission(self):
"""
verify that a user with ACCESS_ADD in user2user table is able to
update user's passwords. note: this user must not be the superadmin.
"""
db = self.ccd._db.conn
# create a user and a workgroup. give the user ACCESS_ADD in
# user2users table
user = create_user(db, str(random.randrange(1000, 9999)))
create_workgroup(db, "newworkgroup", user.uid, 2)
add_user2user(db, user.uid, 2) # ACCESS_ADD
valid_sid = self.ccd._assign_user_a_session(user).sid
# create user
name = str(getRandomBytes())
password = "******"
valid_pld = {"name": name,
"mail": "mail@mynewuser",
"password": password}
# first we create that new user
uid = new_user(self.ccd, valid_sid, valid_pld)
self.assertIsInstance(uid, int)
# second, we update this user
password2 = "mypassword2"
update_pld = {"uid": uid,
"old": password,
"new": password2
}
self.assertIsNone(update_user_passwd(self.ccd, valid_sid, update_pld))
# third, we verify that the changed data is written to database
users = getusers(self.ccd._db.conn, name, password2)
self.assertEqual(len(users), 1)
def test_superadmin(self):
""" verify that the superadmin is able to update user's password """
valid_sid = self.session.sid
name = str(getRandomBytes())
password = "******"
add_pld = {"name": name,
"mail": "mail@mynewuser",
"password": password}
# first we create that new user
uid = new_user(self.ccd, valid_sid, add_pld)
self.assertIsInstance(uid, int)
# second, we update this user
password2 = "mypassword2"
update_pld = {"uid": uid,
"old": password,
"new": password2
}
self.assertIsNone(update_user_passwd(self.ccd, valid_sid, update_pld))
# third, we verify that the changed data is written to database
users = getusers(self.ccd._db.conn, name, password2)
self.assertEqual(len(users), 1)
