def test_is_authorized_for_service(self): instance = ESAPI.access_controller() auth = ESAPI.authenticator() auth.current_user = auth.get_user("ACAlice") self.assertTrue(instance.is_authorized_for_service("/services/ServiceA")) self.assertFalse(instance.is_authorized_for_service("/services/ServiceB")) self.assertTrue(instance.is_authorized_for_service("/services/ServiceC")) self.assertFalse(instance.is_authorized_for_service("/test/ridiculous")) auth.current_user = auth.get_user("ACBob") self.assertFalse(instance.is_authorized_for_service("/services/ServiceA")) self.assertTrue(instance.is_authorized_for_service("/services/ServiceB")) self.assertFalse(instance.is_authorized_for_service("/services/ServiceF")) self.assertFalse(instance.is_authorized_for_service("/test/ridiculous")) auth.current_user = auth.get_user("ACMitch") self.assertTrue(instance.is_authorized_for_service("/services/ServiceA")) self.assertTrue(instance.is_authorized_for_service("/services/ServiceB")) self.assertFalse(instance.is_authorized_for_service("/services/ServiceE")) self.assertFalse(instance.is_authorized_for_service("/test/ridiculous")) instance.assert_authorized_for_service("/services/ServiceD") self.assertRaises(AccessControlException, instance.assert_authorized_for_service, "/test/ridiculous" )
def test_is_authorized_for_function(self): instance = ESAPI.access_controller() auth = ESAPI.authenticator() auth.current_user = auth.get_user("ACAlice") self.assertTrue(instance.is_authorized_for_function("/FunctionA")) self.assertFalse(instance.is_authorized_for_function("/FunctionAdeny")) self.assertFalse(instance.is_authorized_for_function("/FunctionB")) self.assertFalse(instance.is_authorized_for_function("/FunctionBdeny")) self.assertTrue(instance.is_authorized_for_function("/FunctionC")) self.assertFalse(instance.is_authorized_for_function("/FunctionCdeny")) auth.current_user = auth.get_user("ACBob") self.assertFalse(instance.is_authorized_for_function("/FunctionA")) self.assertFalse(instance.is_authorized_for_function("/FunctionAdeny")) self.assertTrue(instance.is_authorized_for_function("/FunctionB")) self.assertFalse(instance.is_authorized_for_function("/FunctionBdeny")) self.assertTrue(instance.is_authorized_for_function("/FunctionD")) self.assertFalse(instance.is_authorized_for_function("/FunctionDdeny")) auth.current_user = auth.get_user("ACMitch") self.assertTrue(instance.is_authorized_for_function("/FunctionA")) self.assertFalse(instance.is_authorized_for_function("/FunctionAdeny")) self.assertTrue(instance.is_authorized_for_function("/FunctionB")) self.assertFalse(instance.is_authorized_for_function("/FunctionBdeny")) self.assertTrue(instance.is_authorized_for_function("/FunctionC")) self.assertFalse(instance.is_authorized_for_function("/FunctionCdeny")) instance.assert_authorized_for_function("/FunctionA") self.assertRaises(AccessControlException, instance.assert_authorized_for_function, "/FunctionDdeny" )
def test_is_authorized_for_data(self): instance = ESAPI.access_controller() auth = ESAPI.authenticator() adminR = "java.util.ArrayList" adminRW = "java.lang.Math" userW = "java.util.Date" userRW = "java.lang.String" anyR = "java.io.BufferedReader" userAdminR = "java.util.Random" userAdminRW = "java.awt.event.MouseWheelEvent" undefined = "java.io.FileWriter" # test User auth.current_user = auth.get_user("ACAlice") self.assertTrue(instance.is_authorized_for_data("read", userRW)) self.assertFalse(instance.is_authorized_for_data("read", undefined)) self.assertFalse(instance.is_authorized_for_data("write", undefined)) self.assertFalse(instance.is_authorized_for_data("read", userW)) self.assertFalse(instance.is_authorized_for_data("read", adminRW)) self.assertTrue(instance.is_authorized_for_data("write", userRW)) self.assertTrue(instance.is_authorized_for_data("write", userW)) self.assertFalse(instance.is_authorized_for_data("write", anyR)) self.assertTrue(instance.is_authorized_for_data("read", anyR)) self.assertTrue(instance.is_authorized_for_data("read", userAdminR)) self.assertTrue(instance.is_authorized_for_data("write", userAdminRW)) # test Admin auth.current_user = auth.get_user("ACBob") self.assertTrue(instance.is_authorized_for_data("read", adminRW)) self.assertFalse(instance.is_authorized_for_data("read", undefined)) self.assertFalse(instance.is_authorized_for_data("write", undefined)) self.assertFalse(instance.is_authorized_for_data("read", userRW)) self.assertTrue(instance.is_authorized_for_data("write", adminRW)) self.assertFalse(instance.is_authorized_for_data("write", anyR)) self.assertTrue(instance.is_authorized_for_data("read", anyR)) self.assertTrue(instance.is_authorized_for_data("read", userAdminR)) self.assertTrue(instance.is_authorized_for_data("write", userAdminRW)) # test User/Admin auth.current_user = auth.get_user("ACMitch") self.assertTrue(instance.is_authorized_for_data("read", userRW)) self.assertFalse(instance.is_authorized_for_data("read", undefined)) self.assertFalse(instance.is_authorized_for_data("write", undefined)) self.assertFalse(instance.is_authorized_for_data("read", userW)) self.assertTrue(instance.is_authorized_for_data("read", adminR)) self.assertTrue(instance.is_authorized_for_data("write", userRW)) self.assertTrue(instance.is_authorized_for_data("write", userW)) self.assertFalse(instance.is_authorized_for_data("write", anyR)) self.assertTrue(instance.is_authorized_for_data("read", anyR)) self.assertTrue(instance.is_authorized_for_data("read", userAdminR)) self.assertTrue(instance.is_authorized_for_data("write", userAdminRW)) instance.assert_authorized_for_data("read", userRW) self.assertRaises(AccessControlException, instance.assert_authorized_for_data, "write", adminR )
def test_is_authorized_for_url(self): instance = ESAPI.access_controller() auth = ESAPI.authenticator() auth.current_user = auth.get_user("ACAlice") self.assertFalse(instance.is_authorized_for_url("/nobody")) self.assertFalse(instance.is_authorized_for_url("/test/admin")) self.assertTrue(instance.is_authorized_for_url("/test/user")) self.assertTrue(instance.is_authorized_for_url("/test/all")) self.assertFalse(instance.is_authorized_for_url("/test/none")) self.assertTrue(instance.is_authorized_for_url("/test/none/test.gif")) self.assertFalse(instance.is_authorized_for_url("/test/none/test.exe")) self.assertTrue(instance.is_authorized_for_url("/test/none/test.png")) self.assertFalse(instance.is_authorized_for_url("/test/moderator")) self.assertTrue(instance.is_authorized_for_url("/test/profile")) self.assertFalse(instance.is_authorized_for_url("/upload")) auth.current_user = auth.get_user("ACBob") self.assertFalse(instance.is_authorized_for_url("/nobody")) self.assertTrue(instance.is_authorized_for_url("/test/admin")) self.assertFalse(instance.is_authorized_for_url("/test/user")) self.assertTrue(instance.is_authorized_for_url("/test/all")) self.assertFalse(instance.is_authorized_for_url("/test/none")) self.assertTrue(instance.is_authorized_for_url("/test/none/test.png")) self.assertFalse(instance.is_authorized_for_url("/test/moderator")) self.assertTrue(instance.is_authorized_for_url("/test/profile")) self.assertFalse(instance.is_authorized_for_url("/upload")) auth.current_user = auth.get_user("ACMitch") self.assertFalse(instance.is_authorized_for_url("/nobody")) self.assertTrue(instance.is_authorized_for_url("/test/admin")) self.assertTrue(instance.is_authorized_for_url("/test/user")) self.assertTrue(instance.is_authorized_for_url("/test/all")) self.assertFalse(instance.is_authorized_for_url("/test/none")) self.assertTrue(instance.is_authorized_for_url("/test/none/test.png")) self.assertFalse(instance.is_authorized_for_url("/test/moderator")) self.assertTrue(instance.is_authorized_for_url("/test/profile")) self.assertFalse(instance.is_authorized_for_url("/upload")) instance.assert_authorized_for_url( "/test/admin" ) self.assertRaises(AccessControlException, instance.assert_authorized_for_url, "/nobody" )
def test_is_authorized_for_file(self): instance = ESAPI.access_controller() auth = ESAPI.authenticator() auth.current_user = auth.get_user("ACAlice") self.assertTrue(instance.is_authorized_for_file("/Dir/File1")) self.assertFalse(instance.is_authorized_for_file("/Dir/File2")) self.assertTrue(instance.is_authorized_for_file("/Dir/File3")) self.assertFalse(instance.is_authorized_for_file("/Dir/ridiculous")) auth.current_user = auth.get_user("ACBob") self.assertFalse(instance.is_authorized_for_file("/Dir/File1")) self.assertTrue(instance.is_authorized_for_file("/Dir/File2")) self.assertTrue(instance.is_authorized_for_file("/Dir/File4")) self.assertFalse(instance.is_authorized_for_file("/Dir/ridiculous")) auth.current_user = auth.get_user("ACMitch") self.assertTrue(instance.is_authorized_for_file("/Dir/File1")) self.assertTrue(instance.is_authorized_for_file("/Dir/File2")) self.assertFalse(instance.is_authorized_for_file("/Dir/File5")) self.assertFalse(instance.is_authorized_for_file("/Dir/ridiculous")) instance.assert_authorized_for_file("/Dir/File1") self.assertRaises(AccessControlException, instance.assert_authorized_for_file, "/Dir/File6" )
def test_match_rule(self): self.assertFalse(ESAPI.access_controller().is_authorized_for_url('/nobody'))