More users_db_security.js work.

take out nested, superfluous run_on_modified_server calls

update to latest fabric.

1 files changed, 176 insertions, 226 deletions

diff --git a/test/javascript/tests/users_db_security.js b/test/javascript/tests/users_db_security.js
index e66b3eca7..da51b238a 100644
--- a/test/javascript/tests/users_db_security.js
+++ b/test/javascript/tests/users_db_security.js
@@ -94,256 +94,211 @@ couchTests.users_db_security = function(debug) {
 
     // jan's gonna be admin as he's the first user
     TEquals(true, usersDb.save(userDoc).ok, "should save document");
+    wait(5000)
     userDoc = open_as(usersDb, "org.couchdb.user:jchris", "jchris");
     TEquals(undefined, userDoc.password, "password field should be null 1");
     TEquals(40, userDoc.derived_key.length, "derived_key should exist");
     TEquals(32, userDoc.salt.length, "salt should exist");
 
     // create server admin
-    run_on_modified_server([
-        {
-          section: "couch_httpd_auth",
-          key: "iterations",
-          value: "1"
-        },
-        {
-          section: "admins",
-          key: "jan",
-          value: "apple"
-        }
-      ], function() {
 
-      // anonymous should not be able to read an existing user's user document
-      var res = usersDb.open("org.couchdb.user:jchris");
-      TEquals(null, res, "anonymous user doc read should be not found");
+    // anonymous should not be able to read an existing user's user document
+    var res = usersDb.open("org.couchdb.user:jchris");
+    TEquals(null, res, "anonymous user doc read should be not found");
 
-      // anonymous should not be able to read /_users/_changes
-      try {
-        var ch = usersDb.changes();
-        T(false, "anonymous can read _changes");
-      } catch(e) {
-        TEquals("unauthorized", e.error, "anoymous can't read _changes");
-      }
+    // anonymous should not be able to read /_users/_changes
+    try {
+      var ch = usersDb.changes();
+      T(false, "anonymous can read _changes");
+    } catch(e) {
+      TEquals("unauthorized", e.error, "anoymous can't read _changes");
+    }
 
-      // user should be able to read their own document
-      var jchrisDoc = open_as(usersDb, "org.couchdb.user:jchris", "jchris");
-      TEquals("org.couchdb.user:jchris", jchrisDoc._id);
-
-      // user should not be able to read /_users/_changes
-      var changes = changes_as(usersDb, "jchris");
-      TEquals("unauthorized", changes.error, "user can't read _changes");
-
-      // new 'password' fields should trigger new hashing routine
-      jchrisDoc.password = "couch";
-
-      TEquals(true, save_as(usersDb, jchrisDoc, "jchris").ok);
-      wait(5000);
-      var jchrisDoc = open_as(usersDb, "org.couchdb.user:jchris", "jchris1");
-
-      TEquals(undefined, jchrisDoc.password, "password field should be null 2");
-      TEquals(40, jchrisDoc.derived_key.length, "derived_key should exist");
-      TEquals(32, jchrisDoc.salt.length, "salt should exist");
-
-      TEquals(true, userDoc.salt != jchrisDoc.salt, "should have new salt");
-      TEquals(true, userDoc.derived_key != jchrisDoc.derived_key,
-        "should have new derived_key");
-
-      wait(5000); // wait for auth cache invalidation
-      var r = CouchDB.login("rnewson", "plaintext_password")
-      log(r)
-      TEquals(true, r.ok);
-      rnewsonDoc = open_as(usersDb, rnewsonDoc._id, "rnewson");
-      TEquals("pbkdf2", rnewsonDoc.password_scheme);
-      T(rnewsonDoc.salt != salt);
-      T(!rnewsonDoc.password_sha);
-      T(rnewsonDoc.derived_key);
-      T(rnewsonDoc.iterations);
-
-      salt = rnewsonDoc.salt,
-      derived_key = rnewsonDoc.derived_key,
-      iterations = rnewsonDoc.iterations;
-
-      // check that authentication is still working
-      // and everything is staying the same now
-      CouchDB.logout();
-      TEquals(true, CouchDB.login("rnewson", "plaintext_password").ok);
-      rnewsonDoc = usersDb.open(rnewsonDoc._id);
-      TEquals("pbkdf2", rnewsonDoc.password_scheme);
-      TEquals(salt, rnewsonDoc.salt);
-      T(!rnewsonDoc.password_sha);
-      TEquals(derived_key, rnewsonDoc.derived_key);
-      TEquals(iterations, rnewsonDoc.iterations);
+    // user should be able to read their own document
+    var jchrisDoc = open_as(usersDb, "org.couchdb.user:jchris", "jchris");
+    TEquals("org.couchdb.user:jchris", jchrisDoc._id);
 
-      CouchDB.logout();
+    // user should not be able to read /_users/_changes
+    var changes = changes_as(usersDb, "jchris");
+    TEquals("unauthorized", changes.error, "user can't read _changes");
 
-      // user should not be able to read another user's user document
-      var fdmananaDoc = {
-        _id: "org.couchdb.user:fdmanana",
-        type: "user",
-        name: "fdmanana",
-        password: "foobar",
-        roles: []
-      };
-
-      usersDb.save(fdmananaDoc);
-
-      var fdmananaDocAsReadByjchris =
-        open_as(usersDb, "org.couchdb.user:fdmanana", "jchris1");
-      TEquals(null, fdmananaDocAsReadByjchris,
-        "should not_found opening another user's user doc");
-
-
-      // save a db admin
-      var benoitcDoc = {
-        _id: "org.couchdb.user:benoitc",
-        type: "user",
-        name: "benoitc",
-        password: "test",
-        roles: ["user_admin"]
-      };
-      save_as(usersDb, benoitcDoc, "jan");
+    // new 'password' fields should trigger new hashing routine
+    jchrisDoc.password = "couch";
 
-      TEquals(true, CouchDB.login("jan", "apple").ok);
-      T(usersDb.setSecObj({
-        "admins" : {
-          roles : [],
-          names : ["benoitc"]
-        }
-      }).ok);
-      CouchDB.logout();
+    TEquals(true, save_as(usersDb, jchrisDoc, "jchris").ok);
+    // wait(5000);
+    var jchrisDoc = open_as(usersDb, "org.couchdb.user:jchris", "jchris1");
 
-      // user should not be able to read from any view
-      var ddoc = {
-        _id: "_design/user_db_auth",
-        views: {
-          test: {
-            map: "function(doc) { emit(doc._id, null); }"
-          }
-        }
-      };
+    TEquals(undefined, jchrisDoc.password, "password field should be null 2");
+    TEquals(40, jchrisDoc.derived_key.length, "derived_key should exist");
+    TEquals(32, jchrisDoc.salt.length, "salt should exist");
 
-      save_as(usersDb, ddoc, "jan");
+    TEquals(true, userDoc.salt != jchrisDoc.salt, "should have new salt");
+    TEquals(true, userDoc.derived_key != jchrisDoc.derived_key,
+      "should have new derived_key");
 
-      try {
-        usersDb.view("user_db_auth/test");
-        T(false, "user had access to view in admin db");
-      } catch(e) {
-        TEquals("forbidden", e.error,
-        "non-admins should not be able to read a view");
-      }
+    // user should not be able to read another user's user document
+    var fdmananaDoc = {
+      _id: "org.couchdb.user:fdmanana",
+      type: "user",
+      name: "fdmanana",
+      password: "foobar",
+      roles: []
+    };
 
-      // admin should be able to read from any view
-      var result = view_as(usersDb, "user_db_auth/test", "jan");
-      TEquals(4, result.total_rows, "should allow access and list four users to admin");
+    usersDb.save(fdmananaDoc);
 
-      // db admin should be able to read from any view
-      var result = view_as(usersDb, "user_db_auth/test", "benoitc");
-      TEquals(4, result.total_rows, "should allow access and list four users to db admin");
+    var fdmananaDocAsReadByjchris =
+      open_as(usersDb, "org.couchdb.user:fdmanana", "jchris1");
+    TEquals(null, fdmananaDocAsReadByjchris,
+      "should not_found opening another user's user doc");
 
 
-      // non-admins can't read design docs
-      try {
-        open_as(usersDb, "_design/user_db_auth", "jchris1");
-        T(false, "non-admin read design doc, should not happen");
-      } catch(e) {
-        TEquals("forbidden", e.error, "non-admins can't read design docs");
-      }
-
-      // admin should be able to read and edit any user doc
-      fdmananaDoc.password = "mobile";
-      var result = save_as(usersDb, fdmananaDoc, "jan");
-      TEquals(true, result.ok, "admin should be able to update any user doc");
-
-      // admin should be able to read and edit any user doc
-      fdmananaDoc.password = "mobile1";
-      var result = save_as(usersDb, fdmananaDoc, "benoitc");
-      TEquals(true, result.ok, "db admin by role should be able to update any user doc");
+    // save a db admin
+    var benoitcDoc = {
+      _id: "org.couchdb.user:benoitc",
+      type: "user",
+      name: "benoitc",
+      password: "test",
+      roles: ["user_admin"]
+    };
+    save_as(usersDb, benoitcDoc, "jan");
 
-      TEquals(true, CouchDB.login("jan", "apple").ok);
-      T(usersDb.setSecObj({
-        "admins" : {
-          roles : ["user_admin"],
-          names : []
+    TEquals(true, CouchDB.login("jan", "apple").ok);
+    T(usersDb.setSecObj({
+      "admins" : {
+        roles : [],
+        names : ["benoitc"]
+      }
+    }).ok);
+    CouchDB.logout();
+
+    // user should not be able to read from any view
+    var ddoc = {
+      _id: "_design/user_db_auth",
+      views: {
+        test: {
+          map: "function(doc) { emit(doc._id, null); }"
         }
-      }).ok);
-      CouchDB.logout();
+      }
+    };
 
-      // db admin should be able to read and edit any user doc
-      fdmananaDoc.password = "mobile2";
-      var result = save_as(usersDb, fdmananaDoc, "benoitc");
-      TEquals(true, result.ok, "db admin should be able to update any user doc");
+    save_as(usersDb, ddoc, "jan");
 
-      // ensure creation of old-style docs still works
-      var robertDoc = CouchDB.prepareUserDoc({ name: "robert" }, "anchovy");
-      var result = usersDb.save(robertDoc);
-      TEquals(true, result.ok, "old-style user docs should still be accepted");
+    try {
+      usersDb.view("user_db_auth/test");
+      T(false, "user had access to view in admin db");
+    } catch(e) {
+      TEquals("forbidden", e.error,
+      "non-admins should not be able to read a view");
+    }
 
-      // log in one last time so run_on_modified_server can clean up the admin account
-      TEquals(true, CouchDB.login("jan", "apple").ok);
-    });
+    // admin should be able to read from any view
+    var result = view_as(usersDb, "user_db_auth/test", "jan");
+    TEquals(3, result.total_rows, "should allow access and list four users to admin");
 
-    run_on_modified_server([
-        {
-          section: "couch_httpd_auth",
-          key: "iterations",
-          value: "1"
-        },
-        {
-          section: "couch_httpd_auth",
-          key: "public_fields",
-          value: "name,type"
-        },
-        {
-          section: "couch_httpd_auth",
-          key: "users_db_public",
-          value: "true"
-        },
-        {
-          section: "admins",
-          key: "jan",
-          value: "apple"
-        }
-      ], function() {
-        var res = usersDb.open("org.couchdb.user:jchris");
-        TEquals("jchris", res.name);
-        TEquals("user", res.type);
-        TEquals(undefined, res.roles);
-        TEquals(undefined, res.salt);
-        TEquals(undefined, res.password_scheme);
-        TEquals(undefined, res.derived_key);
+    // db admin should be able to read from any view
+    var result = view_as(usersDb, "user_db_auth/test", "benoitc");
+    TEquals(3, result.total_rows, "should allow access and list four users to db admin");
 
-        TEquals(true, CouchDB.login("jchris", "couch").ok);
 
-        var all = usersDb.allDocs({ include_docs: true });
-        T(all.rows);
-        if (all.rows) {
-          T(all.rows.every(function(row) {
-            if (row.doc) {
-              return Object.keys(row.doc).every(function(key) {
-                return key === 'name' || key === 'type';
-              });
-            } else {
-              if(row.id[0] == "_") {
-                // ignore design docs
-                return true
-              } else {
-                return false;
-              }
-            }
-          }));
-        }
-      // log in one last time so run_on_modified_server can clean up the admin account
-      TEquals(true, CouchDB.login("jan", "apple").ok);
-    });
+    // non-admins can't read design docs
+    try {
+      open_as(usersDb, "_design/user_db_auth", "jchris1");
+      T(false, "non-admin read design doc, should not happen");
+    } catch(e) {
+      TEquals("forbidden", e.error, "non-admins can't read design docs");
+    }
+
+    // admin should be able to read and edit any user doc
+    fdmananaDoc.password = "mobile";
+    var result = save_as(usersDb, fdmananaDoc, "jan");
+    TEquals(true, result.ok, "admin should be able to update any user doc");
+
+    // admin should be able to read and edit any user doc
+    fdmananaDoc.password = "mobile1";
+    var result = save_as(usersDb, fdmananaDoc, "benoitc");
+    TEquals(true, result.ok, "db admin by role should be able to update any user doc");
+
+    TEquals(true, CouchDB.login("jan", "apple").ok);
+    T(usersDb.setSecObj({
+      "admins" : {
+        roles : ["user_admin"],
+        names : []
+      }
+    }).ok);
+    CouchDB.logout();
+
+    // db admin should be able to read and edit any user doc
+    fdmananaDoc.password = "mobile2";
+    var result = save_as(usersDb, fdmananaDoc, "benoitc");
+    TEquals(true, result.ok, "db admin should be able to update any user doc");
+
+    // ensure creation of old-style docs still works
+    var robertDoc = CouchDB.prepareUserDoc({ name: "robert" }, "anchovy");
+    var result = usersDb.save(robertDoc);
+    TEquals(true, result.ok, "old-style user docs should still be accepted");
+
+    // log in one last time so run_on_modified_server can clean up the admin account
+    TEquals(true, CouchDB.login("jan", "apple").ok);
+
+    // run_on_modified_server([
+   //      {
+   //        section: "couch_httpd_auth",
+   //        key: "iterations",
+   //        value: "1"
+   //      },
+   //      {
+   //        section: "couch_httpd_auth",
+   //        key: "public_fields",
+   //        value: "name,type"
+   //      },
+   //      {
+   //        section: "couch_httpd_auth",
+   //        key: "users_db_public",
+   //        value: "true"
+   //      },
+   //      {
+   //        section: "admins",
+   //        key: "jan",
+   //        value: "apple"
+   //      }
+   //    ], function() {
+   //      var res = usersDb.open("org.couchdb.user:jchris");
+   //      TEquals("jchris", res.name);
+   //      TEquals("user", res.type);
+   //      TEquals(undefined, res.roles);
+   //      TEquals(undefined, res.salt);
+   //      TEquals(undefined, res.password_scheme);
+   //      TEquals(undefined, res.derived_key);
+   //
+   //      TEquals(true, CouchDB.login("jan", "apple").ok);
+   //
+   //      var all = usersDb.allDocs({ include_docs: true });
+   //      T(all.rows);
+   //      if (all.rows) {
+   //        T(all.rows.every(function(row) {
+   //          if (row.doc) {
+   //            return Object.keys(row.doc).every(function(key) {
+   //              return key === 'name' || key === 'type';
+   //            });
+   //          } else {
+   //            if(row.id[0] == "_") {
+   //              // ignore design docs
+   //              return true
+   //            } else {
+   //              return false;
+   //            }
+   //          }
+   //        }));
+   //      }
+   //    // log in one last time so run_on_modified_server can clean up the admin account
+   //    TEquals(true, CouchDB.login("jan", "apple").ok);
+   //  });
 
     run_on_modified_server([
       {
         section: "couch_httpd_auth",
-        key: "iterations",
-        value: "1"
-      },
-      {
-        section: "couch_httpd_auth",
         key: "public_fields",
         value: "name"
       },
@@ -351,11 +306,6 @@ couchTests.users_db_security = function(debug) {
         section: "couch_httpd_auth",
         key: "users_db_public",
         value: "false"
-      },
-      {
-        section: "admins",
-        key: "jan",
-        value: "apple"
       }
     ], function() {
       TEquals(true, CouchDB.login("jchris", "couch").ok);
@@ -364,7 +314,7 @@ couchTests.users_db_security = function(debug) {
         var all = usersDb.allDocs({ include_docs: true });
         T(false); // should never hit
       } catch(e) {
-        TEquals("forbidden", e.error, "should throw");
+        TEquals("unauthorized", e.error, "should throw");
       }
 
       // COUCHDB-1888 make sure admins always get all fields
@@ -387,5 +337,5 @@ couchTests.users_db_security = function(debug) {
     testFun
   );
   usersDb.deleteDb(); // cleanup
-
+  // wait(2000)
 };