def test_single_user_nonsuperadmin(self): """ a user is allowed to receive information of an arbitrary user, if he has ACCESS_READ in the user2user table. """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) add_user2user(db, user.uid, 3) # ACCESS_READ valid_sid = self.ccd._assign_user_a_session(user).sid # user to request for information user_to_request = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", user_to_request.uid, 3) payload = {"uid": user_to_request.uid} res = show_user(self.ccd, valid_sid, payload)[0] try: self.assertEqual(res["uid"], user_to_request.uid) self.assertEqual(res["name"], user_to_request.name) self.assertEqual(res["mail"], user_to_request.mail) self.assertEqual(res["description"], user_to_request.description) finally: user.delete(db) user_to_request.delete(db) wg.delete(db)
def test_permission_denied(self): """ verify that a non-superdmin user, who has no ACCESS_WRITE is not allowed to modify a user """ db = self.ccd._db.conn # first we create that new user uid = create_user(db, str(getRandomBytes())).uid # create a user and a workgroup w/o ACCESS_ADD in # user2users table user = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", user.uid, 3) add_user2user(db, user.uid, 4) # NO ACCESS_WRITE valid_sid = self.ccd._assign_user_a_session(user).sid # second, we update this user name2 = str(getRandomBytes()) mail2 = "mymail%d" % random.randrange(1000, 9999) description2 = "mydescription%d" % random.randrange(1000, 9999) update_pld = { "uid": uid, "name": name2, "mail": mail2, "description": description2 } self.assertRaises(PermissionDenied, update_user, self.ccd, valid_sid, update_pld)
def test_project_user_superadmin(self): """ using pid instead of uid in payload should return user in corresponding project """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ valid_sid = self.session.sid # create users users = [] for i in range(10): user = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", user.uid, 3) users.append(user) # add users to projects for u in users: proj = create_project(db, "test_project_user_superadmin", u, 3) # set None to request all users payload = {"pid": proj.pid} res = show_user(self.ccd, valid_sid, payload) try: self.assertUsersInProject(res, users) finally: proj.delete(db) for u in users: u.delete(db)
def test_single_user_permission_denied(self): """ a user that is not superadmin and has no ACCESS_READ must fail reading user information (of user that are not the user ifself). it must be raised a permission denied exceperion. Note. every role includes ACCESS_READ by default, hence the user that requests the information must no be in user2user table. """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) valid_sid = self.ccd._assign_user_a_session(user).sid # user to request for information user_to_request = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", user_to_request.uid, 3) payload = {"uid": user_to_request.uid} try: self.assertRaises(PermissionDenied, show_user, self.ccd, valid_sid, payload) finally: user.delete(db) user_to_request.delete(db) wg.delete(db)
def test_all_user_permission_denied(self): """ a user that is not superadmin and has no ACCESS_READ must fail reading user information (of user that are not the user ifself). it must be raised a permission denied exception """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) valid_sid = self.ccd._assign_user_a_session(user).sid # user to request for information user_to_request = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", user_to_request.uid, 3) # set None to request all users payload = {"uid": None} try: self.assertRaises(PermissionDenied, show_user, self.ccd, valid_sid, payload) finally: user.delete(db) user_to_request.delete(db) wg.delete(db)
def test_project_set(self): """ verify the stage is passed with a valid project set and the user is not a superadmin """ db = self.ccd._db.conn user = create_user(db, "my non admin user") wg = create_workgroup(db, "wgroup", user.uid, 3) # role id 3 = normal # user, no wgroup admin proj = create_project(db, "my project", user, 2) # project admin, role # does not matter in # this test try: # get a session for the non-admin valid_session = self.ccd._assign_user_a_session(user) valid_sid = valid_session.sid valid_session.setproject(db, proj) self.assertTrue(stage_three(self.ccd, valid_sid)) finally: if valid_session: valid_session.unsetproject(db, proj) user.delete(db) wg.delete(db) proj.delete(db)
def test_addpermission(self): """ verify that a user with ACCESS_ADD in user2user table is able to create new users. note: this user must not be the superadmin. """ db = self.ccd._db.conn # create a user and a workgroup. give the user ACCESS_ADD in # user2users table user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 2) del_user2user(db, user.uid) add_user2user(db, user.uid, 2) # ACCESS_ADD valid_sid = self.ccd._assign_user_a_session(user).sid # create user name = str(getRandomBytes()) valid_pld = {"name": name, "mail": "mail@mynewuser", "password": "******"} # first we create that new user uid = new_user(self.ccd, valid_sid, valid_pld) self.assertIsInstance(uid, int) # second, we check for the user to be in the database user2 = User.by_name(self.ccd._db.conn, name) try: self.assertEqual(uid, user2.uid) finally: # delete them, since they are not needed anymore user2.delete(db) user.delete(db) wg.delete(db)
def test_delpermission(self): """ verify that a user with ACCESS_DEL in user2user table is able to delete users. note: this user must not be the superadmin. """ db = self.ccd._db.conn # create a user and a workgroup. give the user ACCESS_ADD in # user2users table user = create_user(db, str(random.randrange(1000,9999))) wg = create_workgroup(db, "newworkgroup", user.uid, 2) add_user2user(db, user.uid, 2) # ACCESS_DEL valid_sid = self.ccd._assign_user_a_session(user).sid # create user name = str(getRandomBytes()) valid_pld = {"name": name, "mail": "mail@mynewuser", "password": "******"} # first we create that new user uid = new_user(self.ccd, valid_sid, valid_pld) self.assertIsInstance(uid, int) # second, we delete that user del_pld = {"uid": uid} self.assertIsNone(delete_user(self.ccd, valid_sid, del_pld)) user.delete(db) wg.delete(db)
def test_permission_denied(self): """ if user is no superadmin and has no ACCESS_DEL, a permissionDenied exception is raised """ db = self.ccd._db.conn # create a user and a workgroup. give the user ACCESS_ADD in # user2users table user = create_user(db, str(random.randrange(1000,9999))) wg = create_workgroup(db, "newworkgroup", user.uid, 3) add_user2user(db, user.uid, 4) # NO ACCESS_DEL valid_sid = self.ccd._assign_user_a_session(user).sid invalid_pld = {"uid": "foo"} try: self.assertRaises(PermissionDenied, delete_user, self.ccd, valid_sid, invalid_pld) finally: user.delete(db) wg.delete(db)
def test_all_user_nonsuperadmin(self): """ a user is allowed to receive information of a user, if he has ACCESS_READ in the user2user table. """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) add_user2user(db, user.uid, 3) # ACCESS_READ valid_sid = self.ccd._assign_user_a_session(user).sid # set None to request all users payload = {"uid": None} res = show_user(self.ccd, valid_sid, payload) meta, conn = db tbl = meta.tables[tbl_users] with conn.begin(): sel = tbl.select().where(tbl.c.deleted == False) users = conn.execute(sel).fetchall() try: self.assertEqualResolution(res, users) finally: user.delete(db) wg.delete(db)
def test_single_user_superadmin(self): """ the superadmin is allowed to receive information of an existing user. """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ valid_sid = self.session.sid # user to request for information user_to_request = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user_to_request.uid, 3) payload = {"uid": user_to_request.uid} res = show_user(self.ccd, valid_sid, payload)[0] try: self.assertEqual(res["uid"], user_to_request.uid) self.assertEqual(res["name"], user_to_request.name) self.assertEqual(res["mail"], user_to_request.mail) self.assertEqual(res["description"], user_to_request.description) finally: user_to_request.delete(db) wg.delete(db)
def test_permission_denied(self): """ if the user is no superadmin and has no ACCESS_ADD a permissionDenied exception is raised """ db = self.ccd._db.conn user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) add_user2user(db, user.uid, 3) # no ACCESS_ADD valid_sid = self.ccd._assign_user_a_session(user).sid # create user name = str(getRandomBytes()) valid_pld = { "name": name, "mail": "mail@mynewuser", "password": "******" } try: self.assertRaises(PermissionDenied, new_user, self.ccd, valid_sid, valid_pld) finally: user.delete(db) wg.delete(db)
def test_all_user_nonsuperadmin(self): """ a user is allowed to receive information of a user, if he has ACCESS_READ in the user2user table. """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) add_user2user(db, user.uid, 3) # ACCESS_READ valid_sid = self.ccd._assign_user_a_session(user).sid # set None to request all users payload = {"uid": None} res = show_user(self.ccd, valid_sid, payload) meta, conn = db tbl = meta.tables[tbl_users] with conn.begin(): sel = tbl.select().where(tbl.c.deleted==False) users = conn.execute(sel).fetchall() try: self.assertEqualResolution(res, users) finally: user.delete(db) wg.delete(db)
def test_single_user_nonexisting(self): """ requesting a non-existing user should fail """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ valid_sid = self.session.sid # user to request for information user_to_request = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user_to_request.uid, 3) payload = {"uid": -1} try: self.assertRaises(NotFoundError, show_user, self.ccd, valid_sid, payload) finally: user_to_request.delete(db) wg.delete(db)
def test_delpermission(self): """ verify that a user with ACCESS_DEL in user2user table is able to delete users. note: this user must not be the superadmin. """ db = self.ccd._db.conn # create a user and a workgroup. give the user ACCESS_ADD in # user2users table user = create_user(db, str(random.randrange(1000, 9999))) wg = create_workgroup(db, "newworkgroup", user.uid, 2) add_user2user(db, user.uid, 2) # ACCESS_DEL valid_sid = self.ccd._assign_user_a_session(user).sid # create user name = str(getRandomBytes()) valid_pld = { "name": name, "mail": "mail@mynewuser", "password": "******" } # first we create that new user uid = new_user(self.ccd, valid_sid, valid_pld) self.assertIsInstance(uid, int) # second, we delete that user del_pld = {"uid": uid} self.assertIsNone(delete_user(self.ccd, valid_sid, del_pld)) user.delete(db) wg.delete(db)
def test_permission_denied(self): """ if the user is no superadmin and has no ACCESS_ADD a permissionDenied exception is raised """ db = self.ccd._db.conn user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) add_user2user(db, user.uid, 3) # no ACCESS_ADD valid_sid = self.ccd._assign_user_a_session(user).sid # create user name = str(getRandomBytes()) valid_pld = {"name": name, "mail": "mail@mynewuser", "password": "******"} try: self.assertRaises(PermissionDenied, new_user, self.ccd, valid_sid, valid_pld) finally: user.delete(db) wg.delete(db)
def test_write_permission(self): """ verify that a user, with ACCESS_WRITE in user2users-table is able to update an existing user. """ db = self.ccd._db.conn # create a user and a workgroup. give the user ACCESS_ADD in # user2users table user = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", user.uid, 2) add_user2user(db, user.uid, 2) # ACCESS_WRITE valid_sid = self.ccd._assign_user_a_session(user).sid # first we create that new user name = str(getRandomBytes()) add_pld = { "name": name, "mail": "mail@mynewuser", "password": "******" } uid = new_user(self.ccd, valid_sid, add_pld) self.assertIsInstance(uid, int) # second, we update this user name2 = str(getRandomBytes()) mail2 = "mymail%d" % random.randrange(1000, 9999) description2 = "mydescription%d" % random.randrange(1000, 9999) update_pld = { "uid": uid, "name": name2, "mail": mail2, "description": description2 } self.assertIsNone(update_user(self.ccd, valid_sid, update_pld)) # third, we verify that the changed data is written to database user = User.by_uid(self.ccd._db.conn, uid) self.assertEqual(user.name, name2) self.assertEqual(user.mail, mail2) self.assertEqual(user.description, description2)
def test_addpermission(self): """ verify that a user with ACCESS_ADD in user2user table is able to update user's passwords. note: this user must not be the superadmin. """ db = self.ccd._db.conn # create a user and a workgroup. give the user ACCESS_ADD in # user2users table user = create_user(db, str(random.randrange(1000, 9999))) create_workgroup(db, "newworkgroup", user.uid, 2) add_user2user(db, user.uid, 2) # ACCESS_ADD valid_sid = self.ccd._assign_user_a_session(user).sid # create user name = str(getRandomBytes()) password = "******" valid_pld = {"name": name, "mail": "mail@mynewuser", "password": password} # first we create that new user uid = new_user(self.ccd, valid_sid, valid_pld) self.assertIsInstance(uid, int) # second, we update this user password2 = "mypassword2" update_pld = {"uid": uid, "old": password, "new": password2 } self.assertIsNone(update_user_passwd(self.ccd, valid_sid, update_pld)) # third, we verify that the changed data is written to database users = getusers(self.ccd._db.conn, name, password2) self.assertEqual(len(users), 1)
def test_no_project(self): """ if no project is set, the user has no write access to create one and the operations is non of the allowed ones, stage three must fail """ db = self.ccd._db.conn user = create_user(db, "my non admin user") wg = create_workgroup(db, "wgroup", user.uid, 3) # role id 3 = normal # user, no wgroup admin try: valid_session = self.ccd._assign_user_a_session(user) valid_sid = valid_session.sid operations = [ op for op in dir(ccdlib) if op.startswith("OP_") and not op in ("OP_LOGOUT", "OP_SETPROJ", "OP_SHOWPROJ", "OP_NEWPROJ", "OP_DELPROJ", "OP_UPDATEPROJ", "OP_ADDPROJMEMBER", "OP_DELPROJMEMBER", "OP_ADDPROJPLG", "OP_DELPROJPLG", "OP_SHOWWGROUP")] # also test some values that are not part of the protocol # specification operations.extend([-1, 999999]) for op in operations: print("testing %s" % op) valid_rid = valid_session.assign_rid() self.assertRaisesRegexp(SessionError, "Invalid Operation in stage 3!", verify_stages, self.ccd, valid_sid, valid_rid, op ) finally: user.delete(db) wg.delete(db)
def test_no_project_but_write_access(self): """ if no project is set, the user passes the stage if he is allowed to create one """ db = self.ccd._db.conn user = create_user(db, "my non admin user") wg = create_workgroup(db, "wgroup", user.uid, 2) # role id 2 = wgroup # admin with write # access try: valid_session = self.ccd._assign_user_a_session(user) valid_sid = valid_session.sid self.assertTrue(stage_three(self.ccd, valid_sid)) finally: user.delete(db) wg.delete(db)
def test_single_user_itself(self): """ showing information of the user itself should work. the user is no superadmin. """ db = self.ccd._db.conn user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) valid_sid = self.ccd._assign_user_a_session(user).sid payload = {"uid": user.uid} res = show_user(self.ccd, valid_sid, payload)[0] try: self.assertEqual(res["uid"], user.uid) self.assertEqual(res["name"], user.name) self.assertEqual(res["mail"], user.mail) self.assertEqual(res["description"], user.description) finally: user.delete(db) wg.delete(db)
def _test_non_admin_operation(self, op): """ gets an operation an test for proper executing for a workgroup user (non-workgroup admin). asserts True as result. """ db = self.ccd._db.conn user = create_user(db, "my non admin user") wg = create_workgroup(db, "wgroup", user.uid, 3) # role id 3 = normal # user, no wgroup admin try: valid_session = self.ccd._assign_user_a_session(user) valid_sid = valid_session.sid valid_rid = valid_session.assign_rid() res = verify_stages(self.ccd, valid_sid, valid_rid, op) self.assertTrue(res) finally: user.delete(db) wg.delete(db)
def test_project_user_owner(self): """ the project owner is able to request the users within its project """ db = self.ccd._db.conn users = [] # user that requests the information is creator of the new project owner = create_user(db, "owner_%s" % str(getRandomBytes())) create_workgroup(db, "newworkgroup", owner.uid, 3) creator = create_user(db, "creator_%s" % str(getRandomBytes())) create_workgroup(db, "newworkgroup", creator.uid, 3) proj = Project.create_fromname( db, "test_project_user_creator", creator, # creator owner, # owner 1, # type id "my project" #description ) valid_sid = self.ccd._assign_user_a_session(owner).sid # create users for i in range(10): u = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", u.uid, 3) users.append(u) # add users to project for u in users: create_project(db, "test_project_user_creator", u, 3) # set None to request all users payload = {"pid": proj.pid} res = show_user(self.ccd, valid_sid, payload) try: self.assertUsersInProject(res, users) finally: proj.delete(db) for u in users: u.delete(db) creator.delete(db) owner.delete(db)
def test_permission_denied(self): """ if user is no superadmin and has no ACCESS_DEL, a permissionDenied exception is raised """ db = self.ccd._db.conn # create a user and a workgroup. give the user ACCESS_ADD in # user2users table user = create_user(db, str(random.randrange(1000, 9999))) wg = create_workgroup(db, "newworkgroup", user.uid, 3) add_user2user(db, user.uid, 4) # NO ACCESS_DEL valid_sid = self.ccd._assign_user_a_session(user).sid invalid_pld = {"uid": "foo"} try: self.assertRaises(PermissionDenied, delete_user, self.ccd, valid_sid, invalid_pld) finally: user.delete(db) wg.delete(db)
def test_permission_denied(self): """ verify that a non-superdmin user, who has no ACCESS_WRITE is not allowed to modify a user """ db = self.ccd._db.conn # create a user and a workgroup. give the user ACCESS_ADD in # user2users table user = create_user(db, str(random.randrange(1000, 9999))) wg = create_workgroup(db, "newworkgroup", user.uid, 2) add_user2user(db, user.uid, 3) # No ACCESS_WRITE # create user name = str(getRandomBytes()) password = "******" valid_pld = {"name": name, "mail": "mail@mynewuser", "password": password} # first we create that new user with SA session uid = new_user(self.ccd, self.session.sid, valid_pld) self.assertIsInstance(uid, int) # second, we update this user with a user who has now allowance to do # so password2 = "mypassword2" update_pld = {"uid": uid, "old": password, "new": password2 } valid_sid = self.ccd._assign_user_a_session(user).sid self.assertRaises(PermissionDenied, update_user_passwd, self.ccd, valid_sid, update_pld)
def test_no_project(self): """ if no project is set, the user has no write access to create one and the operations is non of the allowed ones, stage three must fail """ db = self.ccd._db.conn user = create_user(db, "my non admin user") wg = create_workgroup(db, "wgroup", user.uid, 3) # role id 3 = normal # user, no wgroup admin try: valid_session = self.ccd._assign_user_a_session(user) valid_sid = valid_session.sid operations = [ op for op in dir(ccdlib) if op.startswith("OP_") and not op in ("OP_LOGOUT", "OP_SETPROJ", "OP_SHOWPROJ", "OP_NEWPROJ", "OP_DELPROJ", "OP_UPDATEPROJ", "OP_ADDPROJMEMBER", "OP_DELPROJMEMBER", "OP_ADDPROJPLG", "OP_DELPROJPLG", "OP_SHOWWGROUP") ] # also test some values that are not part of the protocol # specification operations.extend([-1, 999999]) for op in operations: print("testing %s" % op) valid_rid = valid_session.assign_rid() self.assertRaisesRegexp(SessionError, "Invalid Operation in stage 3!", verify_stages, self.ccd, valid_sid, valid_rid, op) finally: user.delete(db) wg.delete(db)
def test_addpermission(self): """ verify that a user with ACCESS_ADD in user2user table is able to create new users. note: this user must not be the superadmin. """ db = self.ccd._db.conn # create a user and a workgroup. give the user ACCESS_ADD in # user2users table user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 2) del_user2user(db, user.uid) add_user2user(db, user.uid, 2) # ACCESS_ADD valid_sid = self.ccd._assign_user_a_session(user).sid # create user name = str(getRandomBytes()) valid_pld = { "name": name, "mail": "mail@mynewuser", "password": "******" } # first we create that new user uid = new_user(self.ccd, valid_sid, valid_pld) self.assertIsInstance(uid, int) # second, we check for the user to be in the database user2 = User.by_name(self.ccd._db.conn, name) try: self.assertEqual(uid, user2.uid) finally: # delete them, since they are not needed anymore user2.delete(db) user.delete(db) wg.delete(db)