def test_is_authorized_for_service(self):
instance = ESAPI.access_controller()
auth = ESAPI.authenticator()
auth.current_user = auth.get_user("ACAlice")
self.assertTrue(instance.is_authorized_for_service("/services/ServiceA"))
self.assertFalse(instance.is_authorized_for_service("/services/ServiceB"))
self.assertTrue(instance.is_authorized_for_service("/services/ServiceC"))
self.assertFalse(instance.is_authorized_for_service("/test/ridiculous"))
auth.current_user = auth.get_user("ACBob")
self.assertFalse(instance.is_authorized_for_service("/services/ServiceA"))
self.assertTrue(instance.is_authorized_for_service("/services/ServiceB"))
self.assertFalse(instance.is_authorized_for_service("/services/ServiceF"))
self.assertFalse(instance.is_authorized_for_service("/test/ridiculous"))
auth.current_user = auth.get_user("ACMitch")
self.assertTrue(instance.is_authorized_for_service("/services/ServiceA"))
self.assertTrue(instance.is_authorized_for_service("/services/ServiceB"))
self.assertFalse(instance.is_authorized_for_service("/services/ServiceE"))
self.assertFalse(instance.is_authorized_for_service("/test/ridiculous"))
instance.assert_authorized_for_service("/services/ServiceD")
self.assertRaises(AccessControlException, instance.assert_authorized_for_service, "/test/ridiculous" )
def test_is_authorized_for_function(self):
instance = ESAPI.access_controller()
auth = ESAPI.authenticator()
auth.current_user = auth.get_user("ACAlice")
self.assertTrue(instance.is_authorized_for_function("/FunctionA"))
self.assertFalse(instance.is_authorized_for_function("/FunctionAdeny"))
self.assertFalse(instance.is_authorized_for_function("/FunctionB"))
self.assertFalse(instance.is_authorized_for_function("/FunctionBdeny"))
self.assertTrue(instance.is_authorized_for_function("/FunctionC"))
self.assertFalse(instance.is_authorized_for_function("/FunctionCdeny"))
auth.current_user = auth.get_user("ACBob")
self.assertFalse(instance.is_authorized_for_function("/FunctionA"))
self.assertFalse(instance.is_authorized_for_function("/FunctionAdeny"))
self.assertTrue(instance.is_authorized_for_function("/FunctionB"))
self.assertFalse(instance.is_authorized_for_function("/FunctionBdeny"))
self.assertTrue(instance.is_authorized_for_function("/FunctionD"))
self.assertFalse(instance.is_authorized_for_function("/FunctionDdeny"))
auth.current_user = auth.get_user("ACMitch")
self.assertTrue(instance.is_authorized_for_function("/FunctionA"))
self.assertFalse(instance.is_authorized_for_function("/FunctionAdeny"))
self.assertTrue(instance.is_authorized_for_function("/FunctionB"))
self.assertFalse(instance.is_authorized_for_function("/FunctionBdeny"))
self.assertTrue(instance.is_authorized_for_function("/FunctionC"))
self.assertFalse(instance.is_authorized_for_function("/FunctionCdeny"))
instance.assert_authorized_for_function("/FunctionA")
self.assertRaises(AccessControlException, instance.assert_authorized_for_function, "/FunctionDdeny" )
def test_is_authorized_for_data(self):
instance = ESAPI.access_controller()
auth = ESAPI.authenticator()
adminR = "java.util.ArrayList"
adminRW = "java.lang.Math"
userW = "java.util.Date"
userRW = "java.lang.String"
anyR = "java.io.BufferedReader"
userAdminR = "java.util.Random"
userAdminRW = "java.awt.event.MouseWheelEvent"
undefined = "java.io.FileWriter"
# test User
auth.current_user = auth.get_user("ACAlice")
self.assertTrue(instance.is_authorized_for_data("read", userRW))
self.assertFalse(instance.is_authorized_for_data("read", undefined))
self.assertFalse(instance.is_authorized_for_data("write", undefined))
self.assertFalse(instance.is_authorized_for_data("read", userW))
self.assertFalse(instance.is_authorized_for_data("read", adminRW))
self.assertTrue(instance.is_authorized_for_data("write", userRW))
self.assertTrue(instance.is_authorized_for_data("write", userW))
self.assertFalse(instance.is_authorized_for_data("write", anyR))
self.assertTrue(instance.is_authorized_for_data("read", anyR))
self.assertTrue(instance.is_authorized_for_data("read", userAdminR))
self.assertTrue(instance.is_authorized_for_data("write", userAdminRW))
# test Admin
auth.current_user = auth.get_user("ACBob")
self.assertTrue(instance.is_authorized_for_data("read", adminRW))
self.assertFalse(instance.is_authorized_for_data("read", undefined))
self.assertFalse(instance.is_authorized_for_data("write", undefined))
self.assertFalse(instance.is_authorized_for_data("read", userRW))
self.assertTrue(instance.is_authorized_for_data("write", adminRW))
self.assertFalse(instance.is_authorized_for_data("write", anyR))
self.assertTrue(instance.is_authorized_for_data("read", anyR))
self.assertTrue(instance.is_authorized_for_data("read", userAdminR))
self.assertTrue(instance.is_authorized_for_data("write", userAdminRW))
# test User/Admin
auth.current_user = auth.get_user("ACMitch")
self.assertTrue(instance.is_authorized_for_data("read", userRW))
self.assertFalse(instance.is_authorized_for_data("read", undefined))
self.assertFalse(instance.is_authorized_for_data("write", undefined))
self.assertFalse(instance.is_authorized_for_data("read", userW))
self.assertTrue(instance.is_authorized_for_data("read", adminR))
self.assertTrue(instance.is_authorized_for_data("write", userRW))
self.assertTrue(instance.is_authorized_for_data("write", userW))
self.assertFalse(instance.is_authorized_for_data("write", anyR))
self.assertTrue(instance.is_authorized_for_data("read", anyR))
self.assertTrue(instance.is_authorized_for_data("read", userAdminR))
self.assertTrue(instance.is_authorized_for_data("write", userAdminRW))
instance.assert_authorized_for_data("read", userRW)
self.assertRaises(AccessControlException, instance.assert_authorized_for_data, "write", adminR )
def test_is_authorized_for_url(self):
instance = ESAPI.access_controller()
auth = ESAPI.authenticator()
auth.current_user = auth.get_user("ACAlice")
self.assertFalse(instance.is_authorized_for_url("/nobody"))
self.assertFalse(instance.is_authorized_for_url("/test/admin"))
self.assertTrue(instance.is_authorized_for_url("/test/user"))
self.assertTrue(instance.is_authorized_for_url("/test/all"))
self.assertFalse(instance.is_authorized_for_url("/test/none"))
self.assertTrue(instance.is_authorized_for_url("/test/none/test.gif"))
self.assertFalse(instance.is_authorized_for_url("/test/none/test.exe"))
self.assertTrue(instance.is_authorized_for_url("/test/none/test.png"))
self.assertFalse(instance.is_authorized_for_url("/test/moderator"))
self.assertTrue(instance.is_authorized_for_url("/test/profile"))
self.assertFalse(instance.is_authorized_for_url("/upload"))
auth.current_user = auth.get_user("ACBob")
self.assertFalse(instance.is_authorized_for_url("/nobody"))
self.assertTrue(instance.is_authorized_for_url("/test/admin"))
self.assertFalse(instance.is_authorized_for_url("/test/user"))
self.assertTrue(instance.is_authorized_for_url("/test/all"))
self.assertFalse(instance.is_authorized_for_url("/test/none"))
self.assertTrue(instance.is_authorized_for_url("/test/none/test.png"))
self.assertFalse(instance.is_authorized_for_url("/test/moderator"))
self.assertTrue(instance.is_authorized_for_url("/test/profile"))
self.assertFalse(instance.is_authorized_for_url("/upload"))
auth.current_user = auth.get_user("ACMitch")
self.assertFalse(instance.is_authorized_for_url("/nobody"))
self.assertTrue(instance.is_authorized_for_url("/test/admin"))
self.assertTrue(instance.is_authorized_for_url("/test/user"))
self.assertTrue(instance.is_authorized_for_url("/test/all"))
self.assertFalse(instance.is_authorized_for_url("/test/none"))
self.assertTrue(instance.is_authorized_for_url("/test/none/test.png"))
self.assertFalse(instance.is_authorized_for_url("/test/moderator"))
self.assertTrue(instance.is_authorized_for_url("/test/profile"))
self.assertFalse(instance.is_authorized_for_url("/upload"))
instance.assert_authorized_for_url( "/test/admin" )
self.assertRaises(AccessControlException, instance.assert_authorized_for_url, "/nobody" )
def test_is_authorized_for_file(self):
instance = ESAPI.access_controller()
auth = ESAPI.authenticator()
auth.current_user = auth.get_user("ACAlice")
self.assertTrue(instance.is_authorized_for_file("/Dir/File1"))
self.assertFalse(instance.is_authorized_for_file("/Dir/File2"))
self.assertTrue(instance.is_authorized_for_file("/Dir/File3"))
self.assertFalse(instance.is_authorized_for_file("/Dir/ridiculous"))
auth.current_user = auth.get_user("ACBob")
self.assertFalse(instance.is_authorized_for_file("/Dir/File1"))
self.assertTrue(instance.is_authorized_for_file("/Dir/File2"))
self.assertTrue(instance.is_authorized_for_file("/Dir/File4"))
self.assertFalse(instance.is_authorized_for_file("/Dir/ridiculous"))
auth.current_user = auth.get_user("ACMitch")
self.assertTrue(instance.is_authorized_for_file("/Dir/File1"))
self.assertTrue(instance.is_authorized_for_file("/Dir/File2"))
self.assertFalse(instance.is_authorized_for_file("/Dir/File5"))
self.assertFalse(instance.is_authorized_for_file("/Dir/ridiculous"))
instance.assert_authorized_for_file("/Dir/File1")
self.assertRaises(AccessControlException, instance.assert_authorized_for_file, "/Dir/File6" )
def test_match_rule(self):
self.assertFalse(ESAPI.access_controller().is_authorized_for_url('/nobody'))
