Mailinglist Archive: yast-commit (883 mails)

< Previous Next >
[yast-commit] <rest-service> master : Test with permission checks enabled
  • From: Klaus Kämpf <kkaempf@xxxxxxx>
  • Date: Tue, 7 Jul 2009 14:46:55 +0200
  • Message-id: <E1MOA4c-0001Ui-GF@xxxxxxxxxxxxxxxx>
ref: refs/heads/master
commit 98361575ad526439cfa8d4f243b023c88c19ece3
Author: Klaus Kämpf <kkaempf@xxxxxxx>
Date: Tue Jul 7 14:46:55 2009 +0200

Test with permission checks enabled
---
.../app/controllers/permissions_controller.rb | 117 +++++++++-----------
.../test/functional/permissions_controller_test.rb | 83 ++++++++++----
2 files changed, 111 insertions(+), 89 deletions(-)

diff --git a/webservice/app/controllers/permissions_controller.rb
b/webservice/app/controllers/permissions_controller.rb
index 6319a2f..d22cb8c 100644
--- a/webservice/app/controllers/permissions_controller.rb
+++ b/webservice/app/controllers/permissions_controller.rb
@@ -1,63 +1,59 @@
+#
+#
+#
+
class PermissionsController < ApplicationController

before_filter :login_required

require "scr"

-#--------------------------------------------------------------------------------
-#
-#local methods
-#
-#--------------------------------------------------------------------------------
-
+ private

def get_permission_list(user_id, filter = nil)
- ok = true
- @permissions = []
- ret = Scr.instance.execute(["polkit-action"])
- if ret[:exit] == 0
- suse_string = "org.opensuse.yast."
- lines = ret[:stdout].split "\n"
-
- # a hash for mapping string 'permission name' => boolean 'granted'
- perms = Hash.new
-
- lines.each do |s|
- if (s.include?( suse_string )) &&
- (filter.blank? || s.include?( filter ))
- # set 'not granted' default
- perms[s] = false
- end
- end
-
- ret = Scr.instance.execute(["polkit-auth", "--user", user_id,
"--explicit"])
- if ret[:exit] == 0
- lines = ret[:stdout].split "\n"
- lines.each do |s|
- # ignore the rights which do not have the prefix, do not have any
.policy file
- # or do not match the filter
- if (s.include?( suse_string )) && perms.has_key?(s) &&
(filter.blank? || s.include?( filter ))
- # update the value to 'granted' state
- perms[s] = true
- end
- end
-
- # convert the hash to a list of Permission objects
- @permissions = []
- perms.each do |name,value|
- permission = Permission.new
- permission.name = name
- permission.grant = value
- @permissions << permission
- end
- else
- ok = false
- end
- else
- ok = false
- end
+ @permissions = []
+ ret = Scr.instance.execute(["polkit-action"])
+ return false unless ret && ret[:exit] == 0
+
+ suse_string = "org.opensuse.yast."
+ lines = ret[:stdout].split("\n") rescue []
+
+ # a hash for mapping string 'permission name' => boolean 'granted'
+ perms = Hash.new
+
+ lines.each do |s|
+ if (s.include?( suse_string )) &&
+ (filter.blank? || s.include?( filter ))
+ # set 'not granted' default
+ perms[s] = false
+ end
+ end
+
+ ret = Scr.instance.execute(["polkit-auth", "--user", user_id,
"--explicit"])
+ return false unless ret && ret[:exit] == 0
+
+ lines = ret[:stdout].split("\n") rescue []
+ lines.each do |s|
+ # ignore the rights which do not have the prefix, do not have any
.policy file
+ # or do not match the filter
+ if (s.include?( suse_string )) && perms.has_key?(s) && (filter.blank? ||
s.include?( filter ))
+ # update the value to 'granted' state
+ perms[s] = true
+ end
+ end
+
+ # convert the hash to a list of Permission objects
+ @permissions = []
+ perms.each do |name,value|
+ permission = Permission.new
+ permission.name = name
+ permission.grant = value
+ @permissions << permission
+ end
end

+
+ public

#--------------------------------------------------------------------------------
#
# actions
@@ -76,14 +72,12 @@ class PermissionsController < ApplicationController
if params[:user_id].blank?
render ErrorResult.error(404, 2, "user_id is not defined") and return
end
- if !get_permission_list(params[:user_id], params[:filter])
+ unless get_permission_list(params[:user_id], params[:filter])
render ErrorResult.error(404, 2, "cannot get permission list") and return
end
end

# GET /users/<uid>/permissions/<id>?user_id=<user_id>
- # GET /users/<uid>/permissions/<id>.xml?user_id=<user_id>
- # GET /users/<uid>/permissions/<id>.json?user_id=<user_id>

def show
unless (permission_check( "org.opensuse.yast.permissions.read") ||
(!params[:user_id].blank? && self.current_account.login == params[:user_id]))
@@ -95,16 +89,9 @@ class PermissionsController < ApplicationController
if params[:id].blank?
render ErrorResult.error(404, 2, "right is not defined") and return
end
- jsonFormat = false
right = params[:id]
- if params[:id].end_with?(".json")
- jsonFormat = true
- right = params[:id].slice(0..-7)
- else
- right = params[:id].slice(0..-5) if params[:id].end_with?(".xml")
- end
@permission = Permission.new
- if !get_permission_list(params[:user_id])
+ unless get_permission_list(params[:user_id])
render ErrorResult.error(404, 1, "cannot get permission list") and return
end
for i in 0..@xxxxxxxxxxxxxxxxxx
@@ -113,12 +100,14 @@ class PermissionsController < ApplicationController
break
end
end
- if permission.name.blank?
+ if !permission || permission.name.blank?
render ErrorResult.error(404, 1, "Permission: #{right} not found.") and
return
end

- return render(:json => permission.to_json, :location => "none") if
jsonFormat
- return render(:xml => permission, :location => "none")
+ respond_to do |format|
+ format.json { render(:json => permission.to_json, :location => "none") }
+ format.xml { render(:xml => permission, :location => "none") }
+ end
end

# PUT /permissions/<user_id>
diff --git a/webservice/test/functional/permissions_controller_test.rb
b/webservice/test/functional/permissions_controller_test.rb
index 4e754e8..58de311 100644
--- a/webservice/test/functional/permissions_controller_test.rb
+++ b/webservice/test/functional/permissions_controller_test.rb
@@ -12,84 +12,117 @@ require 'mocha'

class PermissionsControllerTest < ActionController::TestCase
fixtures :accounts
+
def setup
@controller = PermissionsController.new
@request = ActionController::TestRequest.new
+
+ # Fake an active session
# http://railsforum.com/viewtopic.php?id=1719
@request.session[:account_id] = 1 # defined in fixtures
+

Scr.any_instance.stubs(:execute).with(["polkit-action"]).returns({:stderr=>"",
:exit=>0,
:stdout=>"org.opensuse.yast.system.users.read\norg.opensuse.yast.system.users.write\norg.opensuse.yast.system.users.new\norg.opensuse.yast.system.users.delete\n"})
- Scr.any_instance.stubs(:execute).with(["polkit-auth", "--user", "schubi",
"--explicit"]).returns(:stderr=>"", :exit=>0,
:stdout=>"org.opensuse.yast.system.users.read\norg.opensuse.yast.system.users.write\norg.opensuse.yast.system.users.new\n")
- Scr.any_instance.stubs(:execute).with(['polkit-auth', '--user', 'schubi',
'--grant', 'org.opensuse.yast.patch.install']).returns({:stderr=>"", :exit=>0,
:stdout=>""})
+ Scr.any_instance.stubs(:execute).with(["polkit-auth", "--user",
"test_user", "--explicit"]).returns(:stderr=>"", :exit=>0,
:stdout=>"org.opensuse.yast.system.users.read\norg.opensuse.yast.system.users.write\norg.opensuse.yast.system.users.new\n")
+ Scr.any_instance.stubs(:execute).with(['polkit-auth', '--user',
'test_user', '--grant',
'org.opensuse.yast.patch.install']).returns({:stderr=>"", :exit=>0,
:stdout=>""})
end

- test "access index" do
- get :index, :user_id => "schubi"
+ test "permissions access index" do
+ get :index, :user_id => "test_user"
assert_response :success
end

- test "access index xml" do
+ test "permissions access index production" do
+ save = ENV['RAILS_ENV']
+ ENV['RAILS_ENV'] = "production"
+ get :index
+ ENV['RAILS_ENV'] = save
+ assert_response 403
+ end
+
+ test "permissions access index xml" do
mime = Mime::XML
@request.accept = mime.to_s
- get :index, :user_id => "schubi", :format => :xml
+ get :index, :user_id => "test_user", :format => :xml
assert_equal mime.to_s, @response.content_type
end

- test "access index json" do
+ test "permissions access index json" do
mime = Mime::JSON
@request.accept = mime.to_s
- get :index, :user_id => "schubi", :format => :json
+ get :index, :user_id => "test_user", :format => :json
assert_equal mime.to_s, @response.content_type
end

- test "access index without user" do
+ test "permissions access index without user" do
get :index
assert_response 404
end

- test "access index with wrong user" do
+ test "permissions access index with wrong user" do
Scr.any_instance.stubs(:execute).with(["polkit-auth", "--user", "not
avail", "--explicit"]).returns({:stderr=>"polkit-auth: cannot look up uid for
user 'not avail'\n", :exit=>1, :stdout=>""})
get :index, :user_id => "not avail"
assert_response 404
end

- test "access show" do
- get :show, :id => "org.opensuse.yast.system.users.read", :user_id =>
"schubi"
+ test "permissions access show" do
+ get :show, :id => "org.opensuse.yast.system.users.read", :user_id =>
"test_user"
assert_response :success
end

- test "access show without right" do
- get :show, :user_id => "schubi"
- assert_response 404
+ test "permissions access show json" do
+ mime = Mime::JSON
+ @request.accept = mime.to_s
+ get :show, :id => "org.opensuse.yast.system.users.read", :user_id =>
"test_user"
+ assert_response :success
end

- test "access show without user" do
+ test "permissions access show production" do
+ save = ENV['RAILS_ENV']
+ ENV['RAILS_ENV'] = "production"
+ get :show, :id => "org.opensuse.yast.system.users.read"
+ ENV['RAILS_ENV'] = save
+ assert_response 403
+ end
+
+ test "permissions access show without right" do
+ save = ENV['RAILS_ENV']
+ ENV['RAILS_ENV'] = "production"
+ get :show, :user_id => "nobody"
+ ENV['RAILS_ENV'] = save
+ assert_response 403
+ end
+
+ test "permissions access show without user" do
get :show, :id => "org.opensuse.yast.system.users.read"
assert_response 404
end

- test "access show without user AND right" do
+ test "permissions access show without user AND right" do
get :show
assert_response 404
end

- test "setting permissions" do
- put :update, :permissions => {"name"=>"org.opensuse.yast.patch.install",
"id"=>"schubi", "grant"=>true}, :id=>"schubi.xml"
+ test "permissions setting" do
+ put :update, :permissions => {"name"=>"org.opensuse.yast.patch.install",
"id"=>"test_user", "grant"=>true}, :id=>"test_user"
assert_response :success
end

- test "setting permissions without permissions" do
- put :update, :id=>"schubi.xml"
- assert_response 404
+ test " setting permissions without permissions" do
+ save = ENV['RAILS_ENV']
+ ENV['RAILS_ENV'] = "production"
+ put :update, :id=>"nobody"
+ ENV['RAILS_ENV'] = save
+ assert_response 403
end

test "setting permissions without user" do
- put :update, :permissions => {"name"=>"org.opensuse.yast.patch.install",
"id"=>"schubi", "grant"=>true}
+ put :update, :permissions => {"name"=>"org.opensuse.yast.patch.install",
"id"=>"test_user", "grant"=>true}
assert_response 404
end

test "setting permissions returns false from polkit-auth" do
- Scr.any_instance.stubs(:execute).with(['polkit-auth', '--user', 'schubi',
'--grant', 'org.opensuse.yast.patch.install']).returns({:stderr=>"error",
:exit=>1, :stdout=>""})
- put :update, :permissions => {"name"=>"org.opensuse.yast.patch.install",
"id"=>"schubi", "grant"=>true}, :id=>"schubi.xml"
+ Scr.any_instance.stubs(:execute).with(['polkit-auth', '--user',
'test_user', '--grant',
'org.opensuse.yast.patch.install']).returns({:stderr=>"error", :exit=>1,
:stdout=>""})
+ put :update, :permissions => {"name"=>"org.opensuse.yast.patch.install",
"id"=>"test_user", "grant"=>true}, :id=>"test_user"
assert_response 404
end

--
To unsubscribe, e-mail: yast-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: yast-commit+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages