diff options
| author | Frederick Kaempfer <frederick.kaempfer@gmail.com> | 2017-07-11 10:12:01 +0200 |
|---|---|---|
| committer | Joan Touzet <wohali@users.noreply.github.com> | 2017-07-12 11:12:37 -0400 |
| commit | 6d2ece55c06d8a2fdd3eeb416288630a4ebac9bf (patch) | |
| tree | 690af0fae7cff2a23f69ceaacbed6a2aeb4fda75 | |
| parent | 3b509ce382f7d9c7dfb62493dfceb91ea86adc09 (diff) | |
| download | couchdb-6d2ece55c06d8a2fdd3eeb416288630a4ebac9bf.tar.gz | |
Add tests for db admin/db member compaction.
| -rw-r--r-- | src/chttpd/test/chttpd_security_tests.erl | 82 |
1 files changed, 73 insertions, 9 deletions
diff --git a/src/chttpd/test/chttpd_security_tests.erl b/src/chttpd/test/chttpd_security_tests.erl index a964f3006..6e4b8b5a3 100644 --- a/src/chttpd/test/chttpd_security_tests.erl +++ b/src/chttpd/test/chttpd_security_tests.erl @@ -18,21 +18,43 @@ -define(USER, "chttpd_db_test_admin"). -define(PASS, "pass"). -define(AUTH, {basic_auth, {?USER, ?PASS}}). + +-define(TEST_MEMBER, "test_member"). +-define(TEST_MEMBER_PASS, "test_member_pass"). +-define(TEST_MEMBER_AUTH, {basic_auth, {?TEST_MEMBER, ?TEST_MEMBER_PASS}}). + +-define(TEST_ADMIN, "test_admin"). +-define(TEST_ADMIN_PASS, "test_admin_pass"). +-define(TEST_ADMIN_AUTH, {basic_auth, {?TEST_ADMIN, ?TEST_ADMIN_PASS}}). + + + -define(CONTENT_JSON, {"Content-Type", "application/json"}). -define(FIXTURE_TXT, ?ABS_PATH(?FILE)). setup() -> ok = config:set("admins", ?USER, ?PASS, _Persist=false), + UserDb = ?tempdb(), TmpDb = ?tempdb(), + ok = config:set("couch_httpd_auth", "authentication_db", ?b2l(UserDb)), Addr = config:get("chttpd", "bind_address", "127.0.0.1"), Port = mochiweb_socket_server:get(chttpd, port), - Url = lists:concat(["http://", Addr, ":", Port, "/", ?b2l(TmpDb)]), + BaseUrl = lists:concat(["http://", Addr, ":", Port, "/"]), + Url = lists:concat([BaseUrl, ?b2l(TmpDb)]), + UsersUrl = lists:concat([BaseUrl, ?b2l(UserDb)]), + create_db(UsersUrl), create_db(Url), create_design_doc(Url), - Url. + create_user(UsersUrl,?TEST_MEMBER,[<<?TEST_MEMBER_PASS>>]), + create_user(UsersUrl,?TEST_ADMIN,[<<?TEST_MEMBER_PASS>>]), + set_security(Url), + [Url, UsersUrl]. -teardown(Url) -> +teardown([Url,UsersUrl]) -> + Addr = config:get("chttpd", "bind_address", "127.0.0.1"), + Port = mochiweb_socket_server:get(chttpd, port), delete_db(Url), + delete_db(UsersUrl), ok = config:delete("admins", ?USER, _Persist=false). create_db(Url) -> @@ -44,10 +66,32 @@ create_design_doc(Url) -> "{\"id\":\"_design/test\"}"), ?assert(Status =:= 201 orelse Status =:= 202). +set_security(Url) -> + + SecurityUrl = lists:concat([Url, "/_security"]), + SecurityProperties = [ + {<<"admins">>,{[{<<"roles">>,[<<"test_admin">>]}]}}, + {<<"members">>,{[{<<"roles">>,[<<"test_member">>]}]}} + ], + + Body = jiffy:encode({SecurityProperties}), + {ok, Status, _, _} = test_request:post(Url, [?CONTENT_JSON, ?AUTH], Body), + ?assert(Status =:= 201 orelse Status =:= 202). delete_db(Url) -> {ok, 200, _, _} = test_request:delete(Url, [?AUTH]). +create_user(UsersUrl,Name, Roles) -> + + Body = "{\"name\":\"" ++ Name ++ + "\",\"type\":\"user\",\"roles\":" ++ erlang:binary_to_list(jiffy:encode(Roles)) ++ ",\"password\":\"secret\"}", + Url = lists:concat([ + UsersUrl, "/org.couchdb.user:", Name]), + {ok, 201, _, _} = test_request:put(Url, [?CONTENT_JSON, ?AUTH], Body), + % let's proceed after giving couch_peruser some time to create the user db + timer:sleep(2000). + + all_test_() -> { "chttpd security tests", @@ -60,6 +104,8 @@ all_test_() -> [ fun should_allow_admin_db_compaction/1, fun should_disallow_anonymous_db_compaction/1, + fun should_disallow_db_member_db_compaction/1, + fun should_allow_db_admin_db_compaction/1, fun should_allow_admin_view_compaction/1, fun should_disallow_anonymous_view_compaction/1, fun should_allow_admin_db_view_cleanup/1, @@ -69,7 +115,7 @@ all_test_() -> } }. -should_allow_admin_db_compaction(Url) -> +should_allow_admin_db_compaction([Url,UsersUrl]) -> ?_assertEqual(true, begin {ok, _, _, ResultBody} = test_request:post(Url ++ "/_compact", @@ -79,7 +125,7 @@ should_allow_admin_db_compaction(Url) -> couch_util:get_value(<<"ok">>, InnerJson, undefined) end). -should_disallow_anonymous_db_compaction(Url) -> +should_disallow_anonymous_db_compaction([Url,UsersUrl]) -> {ok, _, _, ResultBody} = test_request:post(Url ++ "/_compact", [?CONTENT_JSON], ""), ResultJson = ?JSON_DECODE(ResultBody), @@ -87,7 +133,25 @@ should_disallow_anonymous_db_compaction(Url) -> ErrType = couch_util:get_value(<<"error">>, InnerJson), ?_assertEqual(<<"unauthorized">>,ErrType). -should_allow_admin_view_compaction(Url) -> +should_disallow_db_member_db_compaction([Url,UsersUrl]) -> + {ok, _, _, ResultBody} = test_request:post(Url ++ "/_compact", + [?CONTENT_JSON, ?TEST_MEMBER_AUTH], ""), + ResultJson = ?JSON_DECODE(ResultBody), + {InnerJson} = ResultJson, + ErrType = couch_util:get_value(<<"error">>, InnerJson), + ?_assertEqual(<<"unauthorized">>,ErrType). + +should_allow_db_admin_db_compaction([Url,UsersUrl]) -> + ?_assertEqual(true, + begin + {ok, _, _, ResultBody} = test_request:post(Url ++ "/_compact", + [?CONTENT_JSON, ?TEST_ADMIN_AUTH], ""), + ResultJson = ?JSON_DECODE(ResultBody), + {InnerJson} = ResultJson, + couch_util:get_value(<<"ok">>, InnerJson, undefined) + end). + +should_allow_admin_view_compaction([Url,UsersUrl]) -> ?_assertEqual(true, begin {ok, _, _, ResultBody} = test_request:post(Url ++ "/_compact/test", @@ -97,7 +161,7 @@ should_allow_admin_view_compaction(Url) -> couch_util:get_value(<<"ok">>, InnerJson, undefined) end). -should_disallow_anonymous_view_compaction(Url) -> +should_disallow_anonymous_view_compaction([Url,UsersUrl]) -> {ok, _, _, ResultBody} = test_request:post(Url ++ "/_compact/test", [?CONTENT_JSON], ""), ResultJson = ?JSON_DECODE(ResultBody), @@ -105,7 +169,7 @@ should_disallow_anonymous_view_compaction(Url) -> ErrType = couch_util:get_value(<<"error">>, InnerJson), ?_assertEqual(<<"unauthorized">>,ErrType). -should_allow_admin_db_view_cleanup(Url) -> +should_allow_admin_db_view_cleanup([Url,UsersUrl]) -> ?_assertEqual(true, begin {ok, _, _, ResultBody} = test_request:post(Url ++ "/_view_cleanup", @@ -115,7 +179,7 @@ should_allow_admin_db_view_cleanup(Url) -> couch_util:get_value(<<"ok">>, InnerJson, undefined) end). -should_disallow_anonymous_db_view_cleanup(Url) -> +should_disallow_anonymous_db_view_cleanup([Url,UsersUrl]) -> {ok, _, _, ResultBody} = test_request:post(Url ++ "/_view_cleanup", [?CONTENT_JSON], ""), ResultJson = ?JSON_DECODE(ResultBody), |