diff options
author | benoitc <benoitc@apache.org> | 2012-01-07 11:09:14 +0100 |
---|---|---|
committer | benoitc <benoitc@apache.org> | 2012-01-07 11:09:14 +0100 |
commit | 157db510b7832a2fc6c262b6072cc2915950959b (patch) | |
tree | 87f0fc77defa86d945a4a5de1583e1bb95862b86 | |
parent | 4f2a0794a65f6518089ac3667425a2a17b30bc9c (diff) | |
download | couchdb-157db510b7832a2fc6c262b6072cc2915950959b.tar.gz |
fix user_db_security tests.
spotted by Jason Smith, thanks!
-rw-r--r-- | share/www/script/test/users_db_security.js | 170 |
1 files changed, 5 insertions, 165 deletions
diff --git a/share/www/script/test/users_db_security.js b/share/www/script/test/users_db_security.js index 811ea7ff1..b3968b196 100644 --- a/share/www/script/test/users_db_security.js +++ b/share/www/script/test/users_db_security.js @@ -63,52 +63,6 @@ couchTests.users_db_security = function(debug) { { usersDb.deleteDb(); - if (debug) debugger; - - var loginUser = function(username) { - var pws = { - jan: "apple", - jchris: "mp3", - jchris1: "couch", - fdmanana: "foobar" - var username1 = username.replace(/[0-9]$/, ""); - var password = pws[username]; - //console.log("Logging in '" + username1 + "' with password '" + password + "'"); - T(CouchDB.login(username1, pws[username]).ok); - }; - - var open_as = function(db, docId, username) { - loginUser(username); - try { - return db.open(docId, {"anti-cache": Math.round(Math.random() * 100000)}); - } finally { - CouchDB.logout(); - } - }; - - var view_as = function(db, viewname, username) { - loginUser(username); - try { - return db.view(viewname); - } finally { - CouchDB.logout(); - } - }; - - var save_as = function(db, doc, username) - { - loginUser(username); - try { - return db.save(doc); - } catch (ex) { - return ex; - } finally { - CouchDB.logout(); - } - }; - - var testFun = function() - { // _users db // a doc with a field 'password' should be hashed to 'password_sha' // with salt and salt stored in 'salt', 'password' is set to null. @@ -181,7 +135,7 @@ couchTests.users_db_security = function(debug) { "should not_found opening another user's user doc"); - // save a db admin + // save a db amin var benoitcDoc = { _id: "org.couchdb.user:benoitc", type: "user", @@ -228,6 +182,7 @@ couchTests.users_db_security = function(debug) { var result = view_as(usersDb, "user_db_auth/test", "benoitc"); TEquals(3, result.total_rows, "should allow access and list two users to db admin"); + // non-admins can't read design docs try { open_as(usersDb, "_design/user_db_auth", "jchris1"); @@ -236,12 +191,14 @@ couchTests.users_db_security = function(debug) { TEquals("forbidden", e.error, "non-admins can't read design docs"); } + console.log(fdmananaDoc); // admin should be able to read and edit any user doc fdmananaDoc.password = "mobile"; var result = save_as(usersDb, fdmananaDoc, "jan"); TEquals(true, result.ok, "admin should be able to update any user doc"); - // db admin should be able to read and edit any user doc + console.log(fdmananaDoc); + // admin should be able to read and edit any user doc fdmananaDoc.password = "mobile1"; var result = save_as(usersDb, fdmananaDoc, "benoitc"); TEquals(true, result.ok, "db admin by role should be able to update any user doc"); @@ -268,123 +225,6 @@ couchTests.users_db_security = function(debug) { // log in one last time so run_on_modified_server can clean up the admin account TEquals(true, CouchDB.login("jan", "apple").ok); }); - - userDoc = usersDb.open("org.couchdb.user:jchris"); - TEquals(undefined, userDoc.password, "password field should be null 1"); - TEquals(40, userDoc.password_sha.length, "password_sha should exist"); - TEquals(32, userDoc.salt.length, "salt should exist"); - - // create server admin - run_on_modified_server([ - { - section: "admins", - key: "jan", - value: "apple" - } - ], function() { - - // anonymous should not be able to read an existing user's user document - var res = usersDb.open("org.couchdb.user:jchris"); - TEquals(null, res, "anonymous user doc read should be not found"); - - // user should be able to read their own document - - var jchrisDoc = open_as(usersDb, "org.couchdb.user:jchris", "jchris"); - TEquals("org.couchdb.user:jchris", jchrisDoc._id); - - // user should bt able to update their own document - // new 'password' fields should trigger new hashing routine - jchrisDoc.password = "couch"; - - TEquals(true, save_as(usersDb, jchrisDoc, "jchris").ok); - var jchrisDoc = open_as(usersDb, "org.couchdb.user:jchris", "jchris1"); - - TEquals(undefined, jchrisDoc.password, "password field should be null 2"); - TEquals(40, jchrisDoc.password_sha.length, "password_sha should exist"); - TEquals(32, jchrisDoc.salt.length, "salt should exist"); - - TEquals(true, userDoc.salt != jchrisDoc.salt, "should have new salt"); - TEquals(true, userDoc.password_sha != jchrisDoc.password_sha, - "should have new password_sha"); - - // user should not be able to read another user's user document - var fdmananaDoc = { - _id: "org.couchdb.user:fdmanana", - type: "user", - name: "fdmanana", - password: "foobar", - roles: [] - }; - - usersDb.save(fdmananaDoc); - - var fdmananaDocAsReadByjchris = - open_as(usersDb, "org.couchdb.user:fdmanana", "jchris1"); - TEquals(null, fdmananaDocAsReadByjchris, - "should not_found opening another user's user doc"); - - // user should not be able to read from any view - var ddoc = { - _id: "_design/user_db_auth", - views: { - test: { - map: "function(doc) { emit(doc._id, null); }" - } - } - }; - - save_as(usersDb, ddoc, "jan"); - - try { - usersDb.view("user_db_auth/test"); - T(false, "user had access to view in admin db"); - } catch(e) { - TEquals("forbidden", e.error, - "non-admins should not be able to read a view"); - } - - // admin should be able to read from any view - var result = view_as(usersDb, "user_db_auth/test", "jan"); - TEquals(3, result.total_rows, "should allow access and list two users"); - - // db admin should be able to read from any view - var result = view_as(usersDb, "user_db_auth/test", "benoitc"); - TEquals(3, result.total_rows, "should allow access and list two users to db admin"); - - - // non-admins can't read design docs - try { - open_as(usersDb, "_design/user_db_auth", "jchris1"); - T(false, "non-admin read design doc, should not happen"); - } catch(e) { - TEquals("forbidden", e.error, "non-admins can't read design docs"); - } - - console.log(fdmananaDoc); - // admin should be able to read and edit any user doc - fdmananaDoc.password = "mobile"; - var result = save_as(usersDb, fdmananaDoc, "jan"); - TEquals(true, result.ok, "admin should be able to update any user doc"); - - console.log(fdmananaDoc); - // admin should be able to read and edit any user doc - fdmananaDoc.password = "mobile1"; - var result = save_as(usersDb, fdmananaDoc, "benoitc"); - TEquals(true, result.ok, "db admin should be able to update any user doc"); - - // ensure creation of old-style docs still works - var robertDoc = CouchDB.prepareUserDoc({ name: "robert" }, "anchovy"); - var result = usersDb.save(robertDoc); - TEquals(true, result.ok, "old-style user docs should still be accepted"); - - // ensure creation of old-style docs still works - var robertDoc = CouchDB.prepareUserDoc({ name: "robert" }, "anchovy"); - var result = userDb.save(robertDoc); - TEquals(true, result.ok, "old-style user docs should still be accepted"); - - // log in one last time so run_on_modified_server can clean up the admin account - TEquals(true, CouchDB.login("jan", "apple").ok); - }); }; usersDb.deleteDb(); |