def testApplyACLByGroup(self):
""" security: applying acl by group name"""
# This acl string...
acl_rights = [
"PGroup,AllGroup:read,write,admin "
"AGroup:read "
]
acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
# Should apply these rights:
users = (
# user, rights
('Antony', ('read', 'write', 'admin', )), # in PGroup
('Beatrice', ('read', 'write', 'admin', )), # in PGroup
('Charles', ('read', )), # virtually in AGroup
)
# Check rights
for user, may in users:
mayNot = [right for right in app.cfg.acl_rights_contents
if right not in may]
# User should have these rights...
for right in may:
assert acl.may(user, right)
# But NOT these:
for right in mayNot:
assert not acl.may(user, right)
def testApplyACLByUser(self):
""" security: applying acl by user name"""
# This acl string...
acl_rights = [
"-MinusGuy:read "
"+MinusGuy:read "
"+PlusGuy:read "
"-PlusGuy:read "
"Admin1,Admin2:read,write,admin "
"Admin3:read,write,admin "
"JoeDoe:read,write "
"name with spaces,another one:read,write "
"CamelCase,extended name:read,write "
"BadGuy: "
"All:read "
]
acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
# Should apply these rights:
users = (
# user, rights
# CamelCase names
('Admin1', ('read', 'write', 'admin')),
('Admin2', ('read', 'write', 'admin')),
('Admin3', ('read', 'write', 'admin')),
('JoeDoe', ('read', 'write')),
('SomeGuy', ('read', )),
# Extended names or mix of extended and CamelCase
('name with spaces', ('read', 'write', )),
('another one', ('read', 'write', )),
('CamelCase', ('read', 'write', )),
('extended name', ('read', 'write', )),
# Blocking bad guys
('BadGuy', ()),
# All other users - every one not mentioned in the acl lines
('All', ('read', )),
('Anonymous', ('read', )),
# we check whether ACL processing stops for a user/right match
# with ACL modifiers
('MinusGuy', ()),
('PlusGuy', ('read', )),
)
# Check rights
for user, may in users:
mayNot = [right for right in app.cfg.acl_rights_contents
if right not in may]
# User should have these rights...
for right in may:
assert acl.may(user, right)
# But NOT these:
for right in mayNot:
assert not acl.may(user, right)
def __call__(self,
value,
start_pos=0,
positions=False,
mode=u'',
**kwargs):
"""
Calls AccessControlList for tokenization
Analyzer behaviour:
In index mode:
Input: u"JoeDoe,JaneDoe:admin,read,write,destroy +EditorGroup:write All:read"
Output: "u'JoeDoe:+read', u'JoeDoe:+write', u'JoeDoe:-create', u'JoeDoe:+admin',
u'JoeDoe:+destroy', u'JaneDoe:+read', u'JaneDoe:+write', u'JaneDoe:-create',
u'JaneDoe:+admin', u'JaneDoe:+destroy', u'EditorGroup:+write', u'All:+read',
u'All:-write', u'All:-create', u'All:-admin', u'All:-destroy'
In query mode:
Input: u"JoeDoe:+write"
Output: u"JoeDoe:+write"
:param value: unicode string
:param positions: Whether to record token positions in the token.
:param start_pos: The position number of the first token. For example,
if you set start_pos=2, the tokens will be numbered 2,3,4,...
instead of 0,1,2,...
"""
assert isinstance(value, unicode)
pos = start_pos
tk = Token()
tk.mode = mode
if mode == "query":
tk.text = value
if positions:
tk.pos = pos
yield tk
else:
acl = AccessControlList([value], valid=self._acl_rights_contents)
for name, permissions in acl.acl:
for permission in permissions:
sign = "+" if permissions[permission] else "-"
tk.text = u"{0}:{1}{2}".format(name, sign, permission)
if positions:
tk.pos = pos
pos += 1
yield tk
def __init__(self,
cfg,
backend,
hierarchic=False,
before=u"",
default=u"",
after=u"",
valid=None):
"""
@type backend: Some object that implements the storage API.
@param backend: The unprotected backend that we want to protect.
@type hierarchic: bool
@param hierarchic: Indicate whether we want to process ACLs in hierarchic mode.
@type before: unicode
@param before: ACL to be applied before all the other ACLs.
@type default: unicode
@param default: If no ACL information is given on the item in question, use this default.
@type after: unicode
@param after: ACL to be applied after all the other ACLs.
@type valid: list of strings or None
@param valid: If a list is given, only strings in the list are treated as valid acl privilege descriptors.
If None is give, the global wiki default is used.
"""
self.cfg = cfg
self.backend = backend
self.hierarchic = hierarchic
self.valid = valid
self.before = AccessControlList(cfg, [before],
default=default,
valid=valid)
self.default = AccessControlList(cfg, [default],
default=default,
valid=valid)
self.after = AccessControlList(cfg, [after],
default=default,
valid=valid)
def _get_acl(self, itemname):
"""
Get ACL strings from the last revision's metadata and return ACL object.
"""
try:
item = self.backend.get_item(itemname)
# we always use the ACLs set on the latest revision:
current_rev = item.get_revision(-1)
acls = current_rev[ACL]
except (NoSuchItemError, NoSuchRevisionError, KeyError):
# do not use default acl here
acls = []
if not isinstance(acls, (tuple, list)):
acls = (acls, )
default = self.default.default
return AccessControlList(self.cfg,
acls,
default=default,
valid=self.valid)
def test_wiki_backend_item_acl_usergroupmember_item(self):
"""
Test if the wiki group backend works with acl code.
First check acl rights of a user that is not a member of group
then add user member to an item group and check acl rights
"""
become_trusted()
update_item(u'NewGroup', {USERGROUP: ["ExampleUser"]}, DATA)
acl_rights = ["NewGroup:read,write"]
acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
has_rights_before = acl.may(u"AnotherUser", "read")
# update item - add AnotherUser to a item group NewGroup
update_item(u'NewGroup', {USERGROUP: ["AnotherUser"]}, '')
has_rights_after = acl.may(u"AnotherUser", "read")
assert not has_rights_before, 'AnotherUser has no read rights because in the beginning he is not a member of a group item NewGroup'
assert has_rights_after, 'AnotherUser must have read rights because after appenditem he is member of NewGroup'
def __init__(self):
""" Init Config instance """
self.cache = CacheClass()
if self.config_check_enabled:
self._config_check()
# define directories
data_dir = os.path.normpath(self.data_dir)
self.data_dir = data_dir
# Try to decode certain names which allow unicode
self._decode()
# After that, pre-compile some regexes
self.cache.item_dict_regex = re.compile(self.item_dict_regex, re.UNICODE)
self.cache.item_group_regex = re.compile(self.item_group_regex, re.UNICODE)
# the ..._regexact versions only match if nothing is left (exact match)
self.cache.item_dict_regexact = re.compile(u'^{0}$'.format(self.item_dict_regex, re.UNICODE))
self.cache.item_group_regexact = re.compile(u'^{0}$'.format(self.item_group_regex, re.UNICODE))
# compiled functions ACL
self.cache.acl_functions = AccessControlList([self.acl_functions], valid=self.acl_rights_functions)
plugins._loadPluginModule(self)
if self.user_defaults[TIMEZONE] is None:
self.user_defaults[TIMEZONE] = self.timezone_default
if self.user_defaults[THEME_NAME] is None:
self.user_defaults[THEME_NAME] = self.theme_default
# Note: do not assign user_defaults['locale'] = locale_default
# to give browser language detection a chance.
try:
self.language_default = parse_locale(self.locale_default)[0]
except ValueError:
raise error.ConfigurationError("Invalid locale_default value (give something like 'en_US').")
# post process
self.auth_can_logout = []
self.auth_login_inputs = []
found_names = []
for auth in self.auth:
if not auth.name:
raise error.ConfigurationError("Auth methods must have a name.")
if auth.name in found_names:
raise error.ConfigurationError("Auth method names must be unique.")
found_names.append(auth.name)
if auth.logout_possible and auth.name:
self.auth_can_logout.append(auth.name)
for input in auth.login_inputs:
if input not in self.auth_login_inputs:
self.auth_login_inputs.append(input)
self.auth_have_login = len(self.auth_login_inputs) > 0
self.auth_methods = found_names
# internal dict for plugin `modules' lists
self._site_plugin_lists = {}
# check if mail is possible and set flag:
self.mail_enabled = (self.mail_smarthost is not None or self.mail_sendmail is not None) and self.mail_from
self.mail_enabled = self.mail_enabled and True or False
if self.namespace_mapping is None:
raise error.ConfigurationError(
"No storage configuration specified! You need to define a namespace_mapping. "
"For further reference, please see HelpOnStorageConfiguration.")
if self.backend_mapping is None:
raise error.ConfigurationError(
"No storage configuration specified! You need to define a backend_mapping. " +
"For further reference, please see HelpOnStorageConfiguration.")
if self.acl_mapping is None:
raise error.ConfigurationError(
"No acl configuration specified! You need to define a acl_mapping. "
"For further reference, please see HelpOnStorageConfiguration.")
if self.secrets is None: # admin did not setup a real secret
raise error.ConfigurationError(
"No secret configured! You need to set secrets = 'somelongsecretstring' in your wiki config.")
if self.interwikiname is None: # admin did not setup a real interwikiname
raise error.ConfigurationError(
"No interwikiname configured! "
"You need to set interwikiname = u'YourUniqueStableInterwikiName' in your wiki config.")
secret_key_names = ['security/ticket', ]
if self.textchas:
secret_key_names.append('security/textcha')
secret_min_length = 10
if isinstance(self.secrets, str):
if len(self.secrets) < secret_min_length:
raise error.ConfigurationError(
"The secrets = '...' wiki config setting is a way too short string "
"(minimum length is {0} chars)!".format(secret_min_length))
# for lazy people: set all required secrets to same value
secrets = {}
for key in secret_key_names:
secrets[key] = self.secrets
self.secrets = secrets
# we check if we have all secrets we need and that they have minimum length
for secret_key_name in secret_key_names:
try:
secret = self.secrets[secret_key_name]
if len(secret) < secret_min_length:
raise ValueError
except (KeyError, ValueError):
raise error.ConfigurationError(
"You must set a (at least {0} chars long) secret string for secrets['{1}']!".format(
secret_min_length, secret_key_name))
from passlib.context import CryptContext
try:
self.cache.pwd_context = CryptContext(**self.passlib_crypt_context)
except ValueError as err:
raise error.ConfigurationError("passlib_crypt_context configuration is invalid [{0}].".format(err))
def _parse_acl(self, acl, default=''):
return AccessControlList([
acl,
],
default=default,
valid=self.valid_rights)
def testhasACL(self):
acl = AccessControlList(valid=app.cfg.acl_rights_contents)
assert not acl.has_acl()
acl = AccessControlList(["All:read", ], valid=app.cfg.acl_rights_contents)
assert acl.has_acl()
