def test_single_user_nonsuperadmin(self): """ a user is allowed to receive information of an arbitrary user, if he has ACCESS_READ in the user2user table. """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) add_user2user(db, user.uid, 3) # ACCESS_READ valid_sid = self.ccd._assign_user_a_session(user).sid # user to request for information user_to_request = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", user_to_request.uid, 3) payload = {"uid": user_to_request.uid} res = show_user(self.ccd, valid_sid, payload)[0] try: self.assertEqual(res["uid"], user_to_request.uid) self.assertEqual(res["name"], user_to_request.name) self.assertEqual(res["mail"], user_to_request.mail) self.assertEqual(res["description"], user_to_request.description) finally: user.delete(db) user_to_request.delete(db) wg.delete(db)
def test_permission_denied(self): """ verify that a non-superdmin user, who has no ACCESS_WRITE is not allowed to modify a user """ db = self.ccd._db.conn # first we create that new user uid = create_user(db, str(getRandomBytes())).uid # create a user and a workgroup w/o ACCESS_ADD in # user2users table user = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", user.uid, 3) add_user2user(db, user.uid, 4) # NO ACCESS_WRITE valid_sid = self.ccd._assign_user_a_session(user).sid # second, we update this user name2 = str(getRandomBytes()) mail2 = "mymail%d" % random.randrange(1000, 9999) description2 = "mydescription%d" % random.randrange(1000, 9999) update_pld = { "uid": uid, "name": name2, "mail": mail2, "description": description2 } self.assertRaises(PermissionDenied, update_user, self.ccd, valid_sid, update_pld)
def test_rename_user_with_existing_username(self): """ renaming a user to a name of an existing user should raise an exception """ db = self.ccd._db.conn valid_sid = self.session.sid # this is the user that we try to rename as name1 = str(getRandomBytes()) create_user(db, name1).uid # this is the user that we want to rename name2 = str(getRandomBytes()) uid2 = create_user(db, name2).uid # now renanme user2 with the name of user1 update_pld = { "uid": uid2, "name": name1, "mail": "foo", "description": "bar" } self.assertRaises(AlreadyExistingError, update_user, self.ccd, valid_sid, update_pld)
def test_superadmin(self): """ verify that the superadmin is able to update users """ valid_sid = self.session.sid name = str(getRandomBytes()) add_pld = { "name": name, "mail": "mail@mynewuser", "password": "******" } # first we create that new user uid = new_user(self.ccd, valid_sid, add_pld) self.assertIsInstance(uid, int) # second, we update this user name2 = str(getRandomBytes()) mail2 = "mymail%d" % random.randrange(1000, 9999) description2 = "mydescription%d" % random.randrange(1000, 9999) update_pld = { "uid": uid, "name": name2, "mail": mail2, "description": description2 } self.assertIsNone(update_user(self.ccd, valid_sid, update_pld)) # third, we verify that the changed data is written to database user = User.by_uid(self.ccd._db.conn, uid) self.assertEqual(user.name, name2) self.assertEqual(user.mail, mail2) self.assertEqual(user.description, description2)
def test_single_user_permission_denied(self): """ a user that is not superadmin and has no ACCESS_READ must fail reading user information (of user that are not the user ifself). it must be raised a permission denied exceperion. Note. every role includes ACCESS_READ by default, hence the user that requests the information must no be in user2user table. """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) valid_sid = self.ccd._assign_user_a_session(user).sid # user to request for information user_to_request = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", user_to_request.uid, 3) payload = {"uid": user_to_request.uid} try: self.assertRaises(PermissionDenied, show_user, self.ccd, valid_sid, payload) finally: user.delete(db) user_to_request.delete(db) wg.delete(db)
def test_all_user_permission_denied(self): """ a user that is not superadmin and has no ACCESS_READ must fail reading user information (of user that are not the user ifself). it must be raised a permission denied exception """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) valid_sid = self.ccd._assign_user_a_session(user).sid # user to request for information user_to_request = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", user_to_request.uid, 3) # set None to request all users payload = {"uid": None} try: self.assertRaises(PermissionDenied, show_user, self.ccd, valid_sid, payload) finally: user.delete(db) user_to_request.delete(db) wg.delete(db)
def test_single_user_permission_denied(self): """ a user that is not superadmin and has no ACCESS_READ must fail reading user information (of user that are not the user ifself). it must be raised a permission denied exceperion. Note. every role includes ACCESS_READ by default, hence the user that requests the information must no be in user2user table. """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) valid_sid = self.ccd._assign_user_a_session(user).sid # user to request for information user_to_request = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", user_to_request.uid, 3) payload = {"uid": user_to_request.uid} try: self.assertRaises(PermissionDenied, show_user, self.ccd, valid_sid, payload) finally: user.delete(db) user_to_request.delete(db) wg.delete(db)
def test_addpermission(self): """ verify that a user with ACCESS_ADD in user2user table is able to create new users. note: this user must not be the superadmin. """ db = self.ccd._db.conn # create a user and a workgroup. give the user ACCESS_ADD in # user2users table user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 2) del_user2user(db, user.uid) add_user2user(db, user.uid, 2) # ACCESS_ADD valid_sid = self.ccd._assign_user_a_session(user).sid # create user name = str(getRandomBytes()) valid_pld = {"name": name, "mail": "mail@mynewuser", "password": "******"} # first we create that new user uid = new_user(self.ccd, valid_sid, valid_pld) self.assertIsInstance(uid, int) # second, we check for the user to be in the database user2 = User.by_name(self.ccd._db.conn, name) try: self.assertEqual(uid, user2.uid) finally: # delete them, since they are not needed anymore user2.delete(db) user.delete(db) wg.delete(db)
def test_all_user_permission_denied(self): """ a user that is not superadmin and has no ACCESS_READ must fail reading user information (of user that are not the user ifself). it must be raised a permission denied exception """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) valid_sid = self.ccd._assign_user_a_session(user).sid # user to request for information user_to_request = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", user_to_request.uid, 3) # set None to request all users payload = {"uid": None} try: self.assertRaises(PermissionDenied, show_user, self.ccd, valid_sid, payload) finally: user.delete(db) user_to_request.delete(db) wg.delete(db)
def test_permission_denied(self): """ if the user is no superadmin and has no ACCESS_ADD a permissionDenied exception is raised """ db = self.ccd._db.conn user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) add_user2user(db, user.uid, 3) # no ACCESS_ADD valid_sid = self.ccd._assign_user_a_session(user).sid # create user name = str(getRandomBytes()) valid_pld = {"name": name, "mail": "mail@mynewuser", "password": "******"} try: self.assertRaises(PermissionDenied, new_user, self.ccd, valid_sid, valid_pld) finally: user.delete(db) wg.delete(db)
def test_single_user_nonsuperadmin(self): """ a user is allowed to receive information of an arbitrary user, if he has ACCESS_READ in the user2user table. """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) add_user2user(db, user.uid, 3) # ACCESS_READ valid_sid = self.ccd._assign_user_a_session(user).sid # user to request for information user_to_request = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", user_to_request.uid, 3) payload = {"uid": user_to_request.uid} res = show_user(self.ccd, valid_sid, payload)[0] try: self.assertEqual(res["uid"], user_to_request.uid) self.assertEqual(res["name"], user_to_request.name) self.assertEqual(res["mail"], user_to_request.mail) self.assertEqual(res["description"], user_to_request.description) finally: user.delete(db) user_to_request.delete(db) wg.delete(db)
def test_permission_denied(self): """ if the user is no superadmin and has no ACCESS_ADD a permissionDenied exception is raised """ db = self.ccd._db.conn user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) add_user2user(db, user.uid, 3) # no ACCESS_ADD valid_sid = self.ccd._assign_user_a_session(user).sid # create user name = str(getRandomBytes()) valid_pld = { "name": name, "mail": "mail@mynewuser", "password": "******" } try: self.assertRaises(PermissionDenied, new_user, self.ccd, valid_sid, valid_pld) finally: user.delete(db) wg.delete(db)
def test_delpermission(self): """ verify that a user with ACCESS_DEL in user2user table is able to delete users. note: this user must not be the superadmin. """ db = self.ccd._db.conn # create a user and a workgroup. give the user ACCESS_ADD in # user2users table user = create_user(db, str(random.randrange(1000,9999))) wg = create_workgroup(db, "newworkgroup", user.uid, 2) add_user2user(db, user.uid, 2) # ACCESS_DEL valid_sid = self.ccd._assign_user_a_session(user).sid # create user name = str(getRandomBytes()) valid_pld = {"name": name, "mail": "mail@mynewuser", "password": "******"} # first we create that new user uid = new_user(self.ccd, valid_sid, valid_pld) self.assertIsInstance(uid, int) # second, we delete that user del_pld = {"uid": uid} self.assertIsNone(delete_user(self.ccd, valid_sid, del_pld)) user.delete(db) wg.delete(db)
def test_project_user_superadmin(self): """ using pid instead of uid in payload should return user in corresponding project """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ valid_sid = self.session.sid # create users users = [] for i in range(10): user = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", user.uid, 3) users.append(user) # add users to projects for u in users: proj = create_project(db, "test_project_user_superadmin", u, 3) # set None to request all users payload = {"pid": proj.pid} res = show_user(self.ccd, valid_sid, payload) try: self.assertUsersInProject(res, users) finally: proj.delete(db) for u in users: u.delete(db)
def test_all_user_nonsuperadmin(self): """ a user is allowed to receive information of a user, if he has ACCESS_READ in the user2user table. """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) add_user2user(db, user.uid, 3) # ACCESS_READ valid_sid = self.ccd._assign_user_a_session(user).sid # set None to request all users payload = {"uid": None} res = show_user(self.ccd, valid_sid, payload) meta, conn = db tbl = meta.tables[tbl_users] with conn.begin(): sel = tbl.select().where(tbl.c.deleted == False) users = conn.execute(sel).fetchall() try: self.assertEqualResolution(res, users) finally: user.delete(db) wg.delete(db)
def test_single_user_superadmin(self): """ the superadmin is allowed to receive information of an existing user. """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ valid_sid = self.session.sid # user to request for information user_to_request = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user_to_request.uid, 3) payload = {"uid": user_to_request.uid} res = show_user(self.ccd, valid_sid, payload)[0] try: self.assertEqual(res["uid"], user_to_request.uid) self.assertEqual(res["name"], user_to_request.name) self.assertEqual(res["mail"], user_to_request.mail) self.assertEqual(res["description"], user_to_request.description) finally: user_to_request.delete(db) wg.delete(db)
def __get_project_db_creds(dbconn, dbname, n=10, privilege="SELECT"): """ Creates a new user for the project database. Grant set privileges to the new user.. input: dbconn A database connection that is used to create the new postgresl user. dbname Name of the project's database. n Length of the password. privilege Privileges to grant. Default is 'SELECT' (read). output: username The new username to connect with. password The new password to connect with. """ logger.debug("creating db credentials..") username = "******" % dbname password = ccdCrypto.getRandomBytes(n) logger.debug('Created %s with %s (priv: %s)', username, password, repr(privilege)) with dbconn.begin(): #TODO sha1 hash of password create = "CREATE USER {user} WITH PASSWORD '{pwd}';".format( user=username, pwd=password) dbconn.execute(create) __grant_project_db_priv(dbconn, username, privilege=privilege) return username, password
def test_single_user_nonexisting(self): """ requesting a non-existing user should fail """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ valid_sid = self.session.sid # user to request for information user_to_request = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user_to_request.uid, 3) payload = {"uid": -1} try: self.assertRaises(NotFoundError, show_user, self.ccd, valid_sid, payload) finally: user_to_request.delete(db) wg.delete(db)
def test_delpermission(self): """ verify that a user with ACCESS_DEL in user2user table is able to delete users. note: this user must not be the superadmin. """ db = self.ccd._db.conn # create a user and a workgroup. give the user ACCESS_ADD in # user2users table user = create_user(db, str(random.randrange(1000, 9999))) wg = create_workgroup(db, "newworkgroup", user.uid, 2) add_user2user(db, user.uid, 2) # ACCESS_DEL valid_sid = self.ccd._assign_user_a_session(user).sid # create user name = str(getRandomBytes()) valid_pld = { "name": name, "mail": "mail@mynewuser", "password": "******" } # first we create that new user uid = new_user(self.ccd, valid_sid, valid_pld) self.assertIsInstance(uid, int) # second, we delete that user del_pld = {"uid": uid} self.assertIsNone(delete_user(self.ccd, valid_sid, del_pld)) user.delete(db) wg.delete(db)
def test_all_user_nonsuperadmin(self): """ a user is allowed to receive information of a user, if he has ACCESS_READ in the user2user table. """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) add_user2user(db, user.uid, 3) # ACCESS_READ valid_sid = self.ccd._assign_user_a_session(user).sid # set None to request all users payload = {"uid": None} res = show_user(self.ccd, valid_sid, payload) meta, conn = db tbl = meta.tables[tbl_users] with conn.begin(): sel = tbl.select().where(tbl.c.deleted==False) users = conn.execute(sel).fetchall() try: self.assertEqualResolution(res, users) finally: user.delete(db) wg.delete(db)
def test_name_characters(self): """ a name that contains other characters except for a-zA-Z0-9 should raise an database.ccdErrors.InputError with message 'Invalid username' """ valid_sid = self.session.sid name = str(getRandomBytes()) add_pld = { "name": name, "mail": "mail@mynewuser", "password": "******" } # first we create that new user uid = new_user(self.ccd, valid_sid, add_pld) self.assertIsInstance(uid, int) invalid_pld = { "uid": uid, "name": "$!YM=!)(>x)", "mail": "mail@mynewuser", "password": "******" } self.assertRaisesRegexp(InputError, "Invalid username", update_user, self.ccd, valid_sid, invalid_pld)
def __get_project_db_creds(dbconn, dbname, n=10, privilege="SELECT"): """ Creates a new user for the project database. Grant set privileges to the new user.. input: dbconn A database connection that is used to create the new postgresl user. dbname Name of the project's database. n Length of the password. privilege Privileges to grant. Default is 'SELECT' (read). output: username The new username to connect with. password The new password to connect with. """ logger.debug("creating db credentials..") username = "******" % dbname password = ccdCrypto.getRandomBytes(n) logger.debug('Created %s with %s (priv: %s)', username, password, repr(privilege)) with dbconn.begin(): #TODO sha1 hash of password create = "CREATE USER {user} WITH PASSWORD '{pwd}';".format( user=username, pwd=password ) dbconn.execute(create) __grant_project_db_priv(dbconn, username, privilege=privilege) return username, password
def test_single_user_superadmin(self): """ the superadmin is allowed to receive information of an existing user. """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ valid_sid = self.session.sid # user to request for information user_to_request = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user_to_request.uid, 3) payload = {"uid": user_to_request.uid} res = show_user(self.ccd, valid_sid, payload)[0] try: self.assertEqual(res["uid"], user_to_request.uid) self.assertEqual(res["name"], user_to_request.name) self.assertEqual(res["mail"], user_to_request.mail) self.assertEqual(res["description"], user_to_request.description) finally: user_to_request.delete(db) wg.delete(db)
def test_invalid_sid(self): """ withough valid session id an error must be raised """ valid_sid = self.session.sid name = str(getRandomBytes()) password = "******" add_pld = {"name": name, "mail": "mail@mynewuser", "password": password} # first we create that new user uid = new_user(self.ccd, valid_sid, add_pld) self.assertIsInstance(uid, int) # second, we update this user with an invalid sessin id password2 = "mypassword2" update_pld = {"uid": uid, "old": password, "new": password2 } invalid_sid = "AAA" self.assertRaises(InvalidSessionID, update_user_passwd, self.ccd, invalid_sid, update_pld)
def test_project_user_superadmin(self): """ using pid instead of uid in payload should return user in corresponding project """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ valid_sid = self.session.sid # create users users = [] for i in range(10): user = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", user.uid, 3) users.append(user) # add users to projects for u in users: proj = create_project(db, "test_project_user_superadmin", u, 3) # set None to request all users payload = {"pid": proj.pid} res = show_user(self.ccd, valid_sid, payload) try: self.assertUsersInProject(res, users) finally: proj.delete(db) for u in users: u.delete(db)
def test_project_user_owner(self): """ the project owner is able to request the users within its project """ db = self.ccd._db.conn users = [] # user that requests the information is creator of the new project owner = create_user(db, "owner_%s" % str(getRandomBytes())) create_workgroup(db, "newworkgroup", owner.uid, 3) creator = create_user(db, "creator_%s" % str(getRandomBytes())) create_workgroup(db, "newworkgroup", creator.uid, 3) proj = Project.create_fromname( db, "test_project_user_creator", creator, # creator owner, # owner 1, # type id "my project" #description ) valid_sid = self.ccd._assign_user_a_session(owner).sid # create users for i in range(10): u = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", u.uid, 3) users.append(u) # add users to project for u in users: create_project(db, "test_project_user_creator", u, 3) # set None to request all users payload = {"pid": proj.pid} res = show_user(self.ccd, valid_sid, payload) try: self.assertUsersInProject(res, users) finally: proj.delete(db) for u in users: u.delete(db) creator.delete(db) owner.delete(db)
def test_project_user_owner(self): """ the project owner is able to request the users within its project """ db = self.ccd._db.conn users = [] # user that requests the information is creator of the new project owner = create_user(db, "owner_%s" % str(getRandomBytes())) create_workgroup(db, "newworkgroup", owner.uid, 3) creator = create_user(db, "creator_%s" % str(getRandomBytes())) create_workgroup(db, "newworkgroup", creator.uid, 3) proj = Project.create_fromname( db, "test_project_user_creator", creator, # creator owner, # owner 1, # type id "my project" #description ) valid_sid = self.ccd._assign_user_a_session(owner).sid # create users for i in range(10): u = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", u.uid, 3) users.append(u) # add users to project for u in users: create_project(db, "test_project_user_creator", u, 3) # set None to request all users payload = {"pid": proj.pid} res = show_user(self.ccd, valid_sid, payload) try: self.assertUsersInProject(res, users) finally: proj.delete(db) for u in users: u.delete(db) creator.delete(db) owner.delete(db)
def test_missing_password(self): """ a missing password should raise a InputError with a message 'Invalid payload format!' """ name = str(getRandomBytes()) invalid_pld = {"name": name, "mail": "mail@mynewuser"} self.assertInvalidPayload(invalid_pld)
def test_missing_password(self): """ a missing password should raise a InputError with a message 'Invalid payload format!' """ name = str(getRandomBytes()) invalid_pld = {"name": name, "mail": "mail@mynewuser"} self.assertInvalidPayload(invalid_pld)
def test_write_permission(self): """ verify that a user, with ACCESS_WRITE in user2users-table is able to update an existing user. """ db = self.ccd._db.conn # create a user and a workgroup. give the user ACCESS_ADD in # user2users table user = create_user(db, str(getRandomBytes())) create_workgroup(db, "newworkgroup", user.uid, 2) add_user2user(db, user.uid, 2) # ACCESS_WRITE valid_sid = self.ccd._assign_user_a_session(user).sid # first we create that new user name = str(getRandomBytes()) add_pld = { "name": name, "mail": "mail@mynewuser", "password": "******" } uid = new_user(self.ccd, valid_sid, add_pld) self.assertIsInstance(uid, int) # second, we update this user name2 = str(getRandomBytes()) mail2 = "mymail%d" % random.randrange(1000, 9999) description2 = "mydescription%d" % random.randrange(1000, 9999) update_pld = { "uid": uid, "name": name2, "mail": mail2, "description": description2 } self.assertIsNone(update_user(self.ccd, valid_sid, update_pld)) # third, we verify that the changed data is written to database user = User.by_uid(self.ccd._db.conn, uid) self.assertEqual(user.name, name2) self.assertEqual(user.mail, mail2) self.assertEqual(user.description, description2)
def test_password_length(self): """ a password that exceeds database.ccddb.MAX_LEN_PASSWORD should raise an database.ccdErrors.InputError with a message 'Password exceeds limit!' """ name = str(getRandomBytes()) invalid_pld = {"name": name, "mail": "mail@mynewuser", "password": "******" * (MAX_LEN_PASSWORD+1)} self.assertExceedsLimit(invalid_pld, "Password")
def test_mail_length(self): """ a mail that exceeds database.ccddb.MAX_LEN_MAIL should raise an database.ccdErrors.InputError with a message 'Mail exceeds limit!' """ name = str(getRandomBytes()) invalid_pld = {"name": name, "mail": "A" * (MAX_LEN_MAIL+1), "password": "******"} self.assertExceedsLimit(invalid_pld, "Mail")
def test_description_length(self): """ a description that exceeds database.ccddb.MAX_LEN_DESC should raise an database.ccdErrors.InputError with a message 'Desc exceeds limit!' """ name = str(getRandomBytes()) invalid_pld = {"name": name, "mail": "mail@mynewuser", "password": "******", "description": "A" * (MAX_LEN_DESC+1)} self.assertExceedsLimit(invalid_pld, "Desc")
def setup_plugin_fd(ccd, sid, rid, args): """ Returns the new stdout/stdin. The new fd is named after some random bla. Further, the fd is stored in db with some additional information like user that started the plugin and command that issued the execution. input: sid session id args arguments that were passed with OP_EXEC output: fd new fd name fid database id of the fd in db """ logger.debug("setting forwarder for plugin") fd_out = "/dev/null" fd_in = "/dev/null" fid = -1 uid = ccd.get_user_and_workgroup(sid)[0].uid command = "%s %s" % (ccd.current_plugin.name, " ".join(args)) plg_id = ccd.current_plugin.id # get directory for client io files fd_dir = get_fd_dir(ccd, sid, plg_id) # random name for new stdout/stdin fd = os.path.join( fd_dir, ccdCrypto.getRandomBytes(16)) # create new stdout fd_out = os.path.join(fd_dir, fd + "_out") # create the output fifo os.mkfifo(fd_out) logger.debug('Output Fifo created: %s', fd_out) # create new stdin if ccd.current_plugin.interactive: fd_in = os.path.join(fd_dir, fd + "_in") # create the input fifo os.mkfifo(fd_in) logger.debug('Input Fifo created: %s', fd_in) # store created fds in database fid = ccddb.storeFd(ccd._db.conn, fd_out, fd_in, uid, command, plg_id, rid) logger.debug("fid=%d", fid) return fd_out, fd_in, fid
def test_description_length(self): """ a description that exceeds database.ccddb.MAX_LEN_DESC should raise an database.ccdErrors.InputError with a message 'Desc exceeds limit!' """ name = str(getRandomBytes()) invalid_pld = { "name": name, "mail": "mail@mynewuser", "description": "A" * (MAX_LEN_DESC + 1) } self.assertExceedsLimit(invalid_pld, "Desc")
def test_mail_length(self): """ a mail that exceeds database.ccddb.MAX_LEN_MAIL should raise an database.ccdErrors.InputError with a message 'Mail exceeds limit!' """ name = str(getRandomBytes()) invalid_pld = { "name": name, "mail": "A" * (MAX_LEN_MAIL + 1), "password": "******" } self.assertExceedsLimit(invalid_pld, "Mail")
def test_password_length(self): """ a password that exceeds database.ccddb.MAX_LEN_PASSWORD should raise an database.ccdErrors.InputError with a message 'Password exceeds limit!' """ name = str(getRandomBytes()) invalid_pld = { "name": name, "mail": "mail@mynewuser", "password": "******" * (MAX_LEN_PASSWORD + 1) } self.assertExceedsLimit(invalid_pld, "Password")
def test_addpermission(self): """ verify that a user with ACCESS_ADD in user2user table is able to create new users. note: this user must not be the superadmin. """ db = self.ccd._db.conn # create a user and a workgroup. give the user ACCESS_ADD in # user2users table user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 2) del_user2user(db, user.uid) add_user2user(db, user.uid, 2) # ACCESS_ADD valid_sid = self.ccd._assign_user_a_session(user).sid # create user name = str(getRandomBytes()) valid_pld = { "name": name, "mail": "mail@mynewuser", "password": "******" } # first we create that new user uid = new_user(self.ccd, valid_sid, valid_pld) self.assertIsInstance(uid, int) # second, we check for the user to be in the database user2 = User.by_name(self.ccd._db.conn, name) try: self.assertEqual(uid, user2.uid) finally: # delete them, since they are not needed anymore user2.delete(db) user.delete(db) wg.delete(db)
def test_superadmin(self): """ verify that the superadmin is able to create users""" valid_sid = self.session.sid name = str(getRandomBytes()) valid_pld = {"name": name, "mail": "mail@mynewuser", "password": "******"} # first we create that new user uid = new_user(self.ccd, valid_sid, valid_pld) self.assertIsInstance(uid, int) # second, we check for the user to be in the database uid2 = User.by_name(self.ccd._db.conn, name).uid self.assertEqual(uid, uid2)
def test_non_existing_user(self): """ updating a non existing user should raise a NotFoundError """ valid_sid = self.session.sid name = str(getRandomBytes()) mail = "mymail%d" % random.randrange(1000, 9999) description = "mydescription%d" % random.randrange(1000, 9999) update_pld = { "uid": random.randrange(10000, 99999) * -1, "name": name, "mail": mail, "description": description } self.assertRaises(NotFoundError, update_user, self.ccd, valid_sid, update_pld)
def test_superadmin(self): """ verify that the superadmin is able to delete users""" valid_sid = self.session.sid name = str(getRandomBytes()) add_pld = {"name": name, "mail": "mail@mynewuser", "password": "******"} # first we create that new user uid = new_user(self.ccd, valid_sid, add_pld) self.assertIsInstance(uid, int) # second, we delete the user del_pld = {"uid": uid} self.assertIsNone(delete_user(self.ccd, valid_sid, del_pld))
def setup_plugin_fd(ccd, sid, rid, args): """ Returns the new stdout/stdin. The new fd is named after some random bla. Further, the fd is stored in db with some additional information like user that started the plugin and command that issued the execution. input: sid session id args arguments that were passed with OP_EXEC output: fd new fd name fid database id of the fd in db """ logger.debug("setting forwarder for plugin") fd_out = "/dev/null" fd_in = "/dev/null" fid = -1 uid = ccd.get_user_and_workgroup(sid)[0].uid command = "%s %s" % (ccd.current_plugin.name, " ".join(args)) plg_id = ccd.current_plugin.id # get directory for client io files fd_dir = get_fd_dir(ccd, sid, plg_id) # random name for new stdout/stdin fd = os.path.join(fd_dir, ccdCrypto.getRandomBytes(16)) # create new stdout fd_out = os.path.join(fd_dir, fd + "_out") # create the output fifo os.mkfifo(fd_out) logger.debug('Output Fifo created: %s', fd_out) # create new stdin if ccd.current_plugin.interactive: fd_in = os.path.join(fd_dir, fd + "_in") # create the input fifo os.mkfifo(fd_in) logger.debug('Input Fifo created: %s', fd_in) # store created fds in database fid = ccddb.storeFd(ccd._db.conn, fd_out, fd_in, uid, command, plg_id, rid) logger.debug("fid=%d", fid) return fd_out, fd_in, fid
def test_superadmin(self): """ verify that the superadmin is able to delete users""" valid_sid = self.session.sid name = str(getRandomBytes()) add_pld = { "name": name, "mail": "mail@mynewuser", "password": "******" } # first we create that new user uid = new_user(self.ccd, valid_sid, add_pld) self.assertIsInstance(uid, int) # second, we delete the user del_pld = {"uid": uid} self.assertIsNone(delete_user(self.ccd, valid_sid, del_pld))
def test_uid_noint(self): """ verify that a non-int uid raises an InputError """ db = self.ccd._db.conn valid_sid = self.session.sid name1 = str(getRandomBytes()) create_user(db, name1).uid update_pld = { "uid": "foobar", "name": "fubar", "mail": "foo", "description": "bar" } self.assertRaisesRegexp(InputError, "Invalid payload format!", update_user, self.ccd, valid_sid, update_pld)
def test_superadmin(self): """ verify that the superadmin is able to create users""" valid_sid = self.session.sid name = str(getRandomBytes()) valid_pld = { "name": name, "mail": "mail@mynewuser", "password": "******" } # first we create that new user uid = new_user(self.ccd, valid_sid, valid_pld) self.assertIsInstance(uid, int) # second, we check for the user to be in the database uid2 = User.by_name(self.ccd._db.conn, name).uid self.assertEqual(uid, uid2)
def test_single_user_itself(self): """ showing information of the user itself should work. the user is no superadmin. """ db = self.ccd._db.conn user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) valid_sid = self.ccd._assign_user_a_session(user).sid payload = {"uid": user.uid} res = show_user(self.ccd, valid_sid, payload)[0] try: self.assertEqual(res["uid"], user.uid) self.assertEqual(res["name"], user.name) self.assertEqual(res["mail"], user.mail) self.assertEqual(res["description"], user.description) finally: user.delete(db) wg.delete(db)
def test_single_user_itself(self): """ showing information of the user itself should work. the user is no superadmin. """ db = self.ccd._db.conn user = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user.uid, 3) valid_sid = self.ccd._assign_user_a_session(user).sid payload = {"uid": user.uid} res = show_user(self.ccd, valid_sid, payload)[0] try: self.assertEqual(res["uid"], user.uid) self.assertEqual(res["name"], user.name) self.assertEqual(res["mail"], user.mail) self.assertEqual(res["description"], user.description) finally: user.delete(db) wg.delete(db)
def test_single_user_nonexisting(self): """ requesting a non-existing user should fail """ db = self.ccd._db.conn # user that requests the information. needs ACCESS_READ valid_sid = self.session.sid # user to request for information user_to_request = create_user(db, str(getRandomBytes())) wg = create_workgroup(db, "newworkgroup", user_to_request.uid, 3) payload = {"uid": -1} try: self.assertRaises(NotFoundError, show_user, self.ccd, valid_sid, payload) finally: user_to_request.delete(db) wg.delete(db)
def test_permission_denied(self): """ verify that a non-superdmin user, who has no ACCESS_WRITE is not allowed to modify a user """ db = self.ccd._db.conn # create a user and a workgroup. give the user ACCESS_ADD in # user2users table user = create_user(db, str(random.randrange(1000, 9999))) wg = create_workgroup(db, "newworkgroup", user.uid, 2) add_user2user(db, user.uid, 3) # No ACCESS_WRITE # create user name = str(getRandomBytes()) password = "******" valid_pld = {"name": name, "mail": "mail@mynewuser", "password": password} # first we create that new user with SA session uid = new_user(self.ccd, self.session.sid, valid_pld) self.assertIsInstance(uid, int) # second, we update this user with a user who has now allowance to do # so password2 = "mypassword2" update_pld = {"uid": uid, "old": password, "new": password2 } valid_sid = self.ccd._assign_user_a_session(user).sid self.assertRaises(PermissionDenied, update_user_passwd, self.ccd, valid_sid, update_pld)
def test_missing_newpassword(self): """ without providing a new password an InputError must be raised """ valid_sid = self.session.sid name = str(getRandomBytes()) password = "******" add_pld = {"name": name, "mail": "mail@mynewuser", "password": password} # first we create that new user uid = new_user(self.ccd, valid_sid, add_pld) self.assertIsInstance(uid, int) # second, we update this user update_pld = {"uid": uid, "old": password } self.assertRaisesRegexp(InputError, "Invalid payload format!", update_user_passwd, self.ccd, valid_sid, update_pld)
def test_addpermission(self): """ verify that a user with ACCESS_ADD in user2user table is able to update user's passwords. note: this user must not be the superadmin. """ db = self.ccd._db.conn # create a user and a workgroup. give the user ACCESS_ADD in # user2users table user = create_user(db, str(random.randrange(1000, 9999))) create_workgroup(db, "newworkgroup", user.uid, 2) add_user2user(db, user.uid, 2) # ACCESS_ADD valid_sid = self.ccd._assign_user_a_session(user).sid # create user name = str(getRandomBytes()) password = "******" valid_pld = {"name": name, "mail": "mail@mynewuser", "password": password} # first we create that new user uid = new_user(self.ccd, valid_sid, valid_pld) self.assertIsInstance(uid, int) # second, we update this user password2 = "mypassword2" update_pld = {"uid": uid, "old": password, "new": password2 } self.assertIsNone(update_user_passwd(self.ccd, valid_sid, update_pld)) # third, we verify that the changed data is written to database users = getusers(self.ccd._db.conn, name, password2) self.assertEqual(len(users), 1)
def test_superadmin(self): """ verify that the superadmin is able to update user's password """ valid_sid = self.session.sid name = str(getRandomBytes()) password = "******" add_pld = {"name": name, "mail": "mail@mynewuser", "password": password} # first we create that new user uid = new_user(self.ccd, valid_sid, add_pld) self.assertIsInstance(uid, int) # second, we update this user password2 = "mypassword2" update_pld = {"uid": uid, "old": password, "new": password2 } self.assertIsNone(update_user_passwd(self.ccd, valid_sid, update_pld)) # third, we verify that the changed data is written to database users = getusers(self.ccd._db.conn, name, password2) self.assertEqual(len(users), 1)