def test_session(self): system.setup(os.path.expanduser('~')) db = system.db session = Session(system) #Create new session id = session.new_session() self.assert_(id!='Session error') session.MyName = 'Test' session.Message = 'This is a test session' session.Number = 123 session.save_session(id) try: cmd = 'select * from dz_sessions where sesskey=%s' q = db(cmd, id) self.assertEqual(len(list(q)), 1) # Create new session object session2 = Session(system) # Load previously created session request.session_token = id session2.load_session() self.assertEqual(session2.Number,123) self.assertEqual(session2.MyName,'Test') self.assertEqual(session2.Message,'This is a test session') finally: session.destroy_session(id) cmd = 'select * from dz_sessions where sesskey=%s' q = db(cmd, id) self.assertEqual(len(list(q)), 0)
def test_session(self): system.setup(os.path.expanduser('~')) db = system.db session = Session(system) #Create new session id = session.new_session() self.assert_(id != 'Session error') session.MyName = 'Test' session.Message = 'This is a test session' session.Number = 123 session.save_session(id) try: cmd = 'select * from dz_sessions where sesskey=%s' q = db(cmd, id) self.assertEqual(len(list(q)), 1) # Create new session object session2 = Session(system) # Load previously created session request.session_token = id session2.load_session() self.assertEqual(session2.Number, 123) self.assertEqual(session2.MyName, 'Test') self.assertEqual(session2.Message, 'This is a test session') finally: session.destroy_session(id) cmd = 'select * from dz_sessions where sesskey=%s' q = db(cmd, id) self.assertEqual(len(list(q)), 0)
def setUp(self): # setup the system and install our own test database system.setup(os.path.expanduser('~')) user.initialize('guest') user.groups = ['managers'] params = dict( host='database', user='******', passwd='password', db='test', ) self.db = Database(MySQLdb.Connect, **params) self.db.autocommit(1) system.db = self.db # create the test collection self.collection = Collection('People', person_fields, Person, url='/myapp') # so we can see our print statements self.save_stdout = sys.stdout sys.stdout = sys.stderr
def setUp(self): params = dict( host='database', user='******', passwd='password', db='test', ) now = datetime.datetime(2016, 10, 11, 13, 12, 1) self.db = Database(MySQLdb.Connect, **params) self.db.autocommit(1) # Setup users table # ------------------------------------------------- self.db("DROP TABLE IF EXISTS `dz_users`") self.db(""" CREATE TABLE `dz_users` ( `userid` int(5) NOT NULL auto_increment, `loginid` char(50) default NULL, `password` varchar(125) default NULL, `firstname` char(40) default NULL, `lastname` char(40) default NULL, `email` char(60) default NULL, `phone` char(30) default NULL, `fax` char(30) default NULL, `dtupd` datetime default NULL, `dtadd` datetime default NULL, `status` char(1) default NULL, PRIMARY KEY (`userid`), UNIQUE KEY `userid` (`loginid`), KEY `userid_2` (`loginid`), KEY `email` (`email`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8; """) records = [ ('admin', 'admin', 'Admin', 'User', 'A', now, now), ('manager1', 'pass1', 'Manager', 'One', 'A', now, now), ('user1', 'pass2', 'User', 'One', 'A', now, now), ('user2', 'pass3', 'User', 'Two', 'A', now, now), ] self.db.execute_many(""" insert into dz_users (loginid, password, firstname, lastname, status, dtupd, dtadd) values (%s, old_password(%s), %s, %s, %s, %s, %s) """, records) # Setup groups table # ------------------------------------------------- self.db("DROP TABLE IF EXISTS `dz_groups`") self.db(""" CREATE TABLE `dz_groups` ( `groupid` int(11) NOT NULL auto_increment, `type` char(1) default NULL, `name` char(20) default NULL, `descr` char(60) default NULL, `admin` char(20) default NULL, PRIMARY KEY (`groupid`), UNIQUE KEY `name` (`name`), KEY `name_2` (`name`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8; """) records = [ (1, 'U','administrators','System Administrators','administrators'), (2, 'U','users','Registered Users','administrators'), (3, 'U','guests','Guests','administrators'), (4, 'U','everyone','All users including guests','administrators'), (5, 'U','managers','Site Content Managers','administrators'), ] self.db.execute_many(""" insert into dz_groups values (%s, %s, %s, %s, %s) """, records) # Setup members table # ------------------------------------------------- self.db("DROP TABLE IF EXISTS `dz_members`") self.db(""" CREATE TABLE `dz_members` ( `userid` int(11) default NULL, `groupid` int(11) default NULL, UNIQUE KEY `contactid_2` (`userid`,`groupid`), KEY `contactid` (`userid`), KEY `groupid` (`groupid`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8; """) records = [ # admins (1, 1), # users (1, 2), (2, 2), (3, 2), (4, 2), # managers (2, 5), ] self.db.execute_many(""" insert into dz_members values (%s, %s) """, records) # Setup subgroups table # ------------------------------------------------- self.db("DROP TABLE IF EXISTS `dz_subgroups`") self.db(""" CREATE TABLE `dz_subgroups` ( `groupid` int(11) default NULL, `subgroupid` int(11) default NULL, UNIQUE KEY `groupid_2` (`groupid`,`subgroupid`), KEY `groupid` (`groupid`), KEY `subgroupid` (`subgroupid`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8; """) records = [ # admin (2, 1), # admins are subgroup of users (5, 1), # admins are subgroup of managers # users (4, 2), # users are subgroup of everyone # guests (4, 3), # guests are subgroup of everyone # Managers (2, 5), # managers are subgroup of users ] self.db.execute_many(""" insert into dz_subgroups values (%s, %s) """, records) # setup the system and install our own test database system.setup(os.path.expanduser('~')) system.db = self.db system.users = UserStore(self.db) # for authenticate method system.database = LegacyDatabase(MySQLdb.Connect, **params) # used by user.update_user, called by authenticate method system.database.autocommit(1) print self.db('select * from dz_users') print self.db('select * from dz_groups') print self.db('select * from dz_subgroups') print self.db('select * from dz_members')
def generate_response(instance_path, start_time=None): """generate response to web request""" profiler = None debugging = True system_timer = SystemTimer(start_time) # capture stdout real_stdout = sys.stdout sys.stdout = StringIO.StringIO() try: try: # initialize context system.setup(instance_path, request.server, system_timer) system_timer.add('system initializated') user.setup() system_timer.add('user initializated') manager.setup() system_timer.add('manager initializated') if user.is_disabled: # we know who the user is, and their account is disabled msg = 'User {user.link} is disabled' raise UnauthorizedException(msg.format(user=user)) debugging = (system.debugging or system.show_errors or user.is_developer or user.is_administrator) session = system.session if system.track_visits: visited(request.subject, session.sid) csrf_token = data.pop('csrf_token', None) if request.method == 'POST' and system.csrf_validation: if csrf_token == session.csrf_token: del session.csrf_token else: msg = 'expected:%s got:%s' % (session.csrf_token, csrf_token) raise CrossSiteRequestForgeryAttempt(msg) requested_app_name = manager.requested_app_name() default_app_name = manager.default_app_name() os.chdir(system.config.sites_path) if not request.route: request.route.append(default_app_name) for app in manager.apps.values(): app.initialize(request) if manager.can_run(requested_app_name): system.app = manager.get_app(requested_app_name) profiler = (system.profile or user.profile) \ and cProfile.Profile() if profiler: profiler.enable() system_timer.add('app ready') response = system.app.run(request) system_timer.add('app returned') if profiler: profiler.disable() elif manager.can_run_if_login(requested_app_name): # as it stands now, an attacker can generate a list of # enabled apps by iterating the/a namespace and seeing # which ones return a logon form. def referrer(): """get the referrer""" uri = urllib.urlencode(dict(referrer=request.uri)) return uri and "?{}".format(uri) or '' response = redirect_to('/login{}'.format(referrer())) elif not requested_app_name: app = manager.get_app(default_app_name) if app: system.app = app else: raise Exception(default_app_name + ' app missing') response = system.app.run(request) elif manager.can_run(default_app_name): response = redirect_to('/') else: response = Page(PAGE_MISSING_MESSAGE).render() response.status = '404' timeout = session.save_session() set_session_cookie( response, session.sid, request.subject, timeout, system.secure_cookies, ) except UnauthorizedException: logger.security('unauthorized access attempt') if debugging: raise else: response = Page(UNAUTHORIZED_MESSAGE).render() response.status = '403' except CrossSiteRequestForgeryAttempt: logger.security('cross site forgery attempt') if debugging: raise else: response = redirect_to('/') except SessionExpiredException: response = Page( load_template('system_application_session_expired', SESSION_EXPIRED_MESSAGE)).render() except: t = htmlquote(traceback.format_exc()) logger.error(t) if debugging: try: tpl = load_template('system_application_error_developer', STANDARD_ERROR_MESSAGE) msg = tpl % dict(message=t) except: msg = SYSTEM_ERROR_MESSAGE % dict(message=t) else: try: msg = load_template('system_application_error_user', FRIENDLY_ERROR_MESSAGE) except: msg = FRIENDLY_ERROR_MESSAGE try: response = Page(msg).render() except: response = HTMLResponse(msg) if profiler: stats_s = StringIO.StringIO() sortby = 'cumulative' ps = pstats.Stats(profiler, stream=stats_s) ps.sort_stats(sortby) ps.print_stats(.1) t = stats_s.getvalue() t = t.replace(system.lib_path, '~zoom').replace( '/usr/lib/python2.7/dist-packages/', '~').replace('/usr/local/lib/python2.7/dist-packages/', '~') print(''.join([ '\n\n System Performance Metrics\n ' + '=' * 30, system_timer.report(), system.database.report(), system.db.report(), ' Profiler\n ------------\n', t ])) finally: printed_output = sys.stdout.getvalue() sys.stdout.close() sys.stdout = real_stdout logger.complete() system.release() if hasattr(response, 'printed_output'): response.printed_output = printed_output.replace('<', '<').replace( '>', '>') return response
def generate_response(instance_path, start_time=None): """generate response to web request""" profiler = None debugging = True system_timer = SystemTimer(start_time) # capture stdout real_stdout = sys.stdout sys.stdout = StringIO.StringIO() try: try: # initialize context system.setup(instance_path, request.server, system_timer) system_timer.add('system initializated') user.setup() system_timer.add('user initializated') manager.setup() system_timer.add('manager initializated') if user.is_disabled: # we know who the user is, and their account is disabled msg = 'User {user.link} is disabled' raise UnauthorizedException(msg.format(user=user)) debugging = (system.debugging or system.show_errors or user.is_developer or user.is_administrator) session = system.session if system.track_visits: visited(request.subject, session.sid) csrf_token = data.pop('csrf_token', None) if request.method == 'POST' and system.csrf_validation: if csrf_token == session.csrf_token: del session.csrf_token else: msg = 'expected:%s got:%s' % ( session.csrf_token, csrf_token) raise CrossSiteRequestForgeryAttempt(msg) requested_app_name = manager.requested_app_name() default_app_name = manager.default_app_name() os.chdir(system.config.sites_path) if not request.route: request.route.append(default_app_name) for app in manager.apps.values(): app.initialize(request) if manager.can_run(requested_app_name): system.app = manager.get_app(requested_app_name) profiler = (system.profile or user.profile) \ and cProfile.Profile() if profiler: profiler.enable() system_timer.add('app ready') response = system.app.run(request) system_timer.add('app returned') if profiler: profiler.disable() elif manager.can_run_if_login(requested_app_name): # as it stands now, an attacker can generate a list of # enabled apps by iterating the/a namespace and seeing # which ones return a logon form. def referrer(): """get the referrer""" uri = urllib.urlencode(dict(referrer=request.uri)) return uri and "?{}".format(uri) or '' response = redirect_to('/login{}'.format(referrer())) elif not requested_app_name: app = manager.get_app(default_app_name) if app: system.app = app else: raise Exception(default_app_name + ' app missing') response = system.app.run(request) elif manager.can_run(default_app_name): response = redirect_to('/') else: response = Page(PAGE_MISSING_MESSAGE).render() response.status = '404' timeout = session.save_session() set_session_cookie( response, session.sid, request.subject, timeout, system.secure_cookies, ) except UnauthorizedException: logger.security('unauthorized access attempt') if debugging: raise else: response = Page(UNAUTHORIZED_MESSAGE).render() response.status = '403' except CrossSiteRequestForgeryAttempt: logger.security('cross site forgery attempt') if debugging: raise else: response = redirect_to('/') except SessionExpiredException: response = Page(load_template( 'system_application_session_expired', SESSION_EXPIRED_MESSAGE)).render() except: t = htmlquote(traceback.format_exc()) logger.error(t) if debugging: try: tpl = load_template( 'system_application_error_developer', STANDARD_ERROR_MESSAGE) msg = tpl % dict(message=t) except: msg = SYSTEM_ERROR_MESSAGE % dict(message=t) else: try: msg = load_template( 'system_application_error_user', FRIENDLY_ERROR_MESSAGE ) except: msg = FRIENDLY_ERROR_MESSAGE try: response = Page(msg).render() except: response = HTMLResponse(msg) if profiler: stats_s = StringIO.StringIO() sortby = 'cumulative' ps = pstats.Stats(profiler, stream=stats_s) ps.sort_stats(sortby) ps.print_stats(.1) t = stats_s.getvalue() t = t.replace( system.lib_path, '~zoom' ).replace( '/usr/lib/python2.7/dist-packages/', '~' ).replace( '/usr/local/lib/python2.7/dist-packages/', '~' ) print(''.join([ '\n\n System Performance Metrics\n ' + '=' * 30, system_timer.report(), system.database.report(), system.db.report(), ' Profiler\n ------------\n', t ])) finally: printed_output = sys.stdout.getvalue() sys.stdout.close() sys.stdout = real_stdout logger.complete() system.release() if hasattr(response, 'printed_output'): response.printed_output = printed_output.replace( '<', '<' ).replace( '>', '>' ) return response