restrict _purge to server adminrestrict-purge-admin

This restrict _purge and _purged_infos_limit to server admin in terms of the security level required to run them. Fixes #1799
author: jiangph <jiangph@cn.ibm.com> 2019-01-28 10:43:34 +0800
committer: jiangph <jiangph@cn.ibm.com> 2019-01-29 08:12:39 +0800
commit: 13534500a2704240cb0d1d1b3063f7fbf6f386ed (patch)
tree: ac1a7c1fa8422a4140d174379b751d7a40375fa4
parent: edcb37288bc2043d8c4d748f4426b6f8fd9d09af (diff)
download: couchdb-restrict-purge-admin.tar.gz
2 files changed, 64 insertions, 1 deletions
diff --git a/src/chttpd/src/chttpd_auth_request.erl b/src/chttpd/src/chttpd_auth_request.erl
index f85eb9722..5b4ec84d5 100644
--- a/src/chttpd/src/chttpd_auth_request.erl
+++ b/src/chttpd/src/chttpd_auth_request.erl
@@ -72,6 +72,10 @@ authorize_request_int(#httpd{path_parts=[_DbName, <<"_view_cleanup">>]}=Req) ->
     require_db_admin(Req);
 authorize_request_int(#httpd{path_parts=[_DbName, <<"_sync_shards">>]}=Req) ->
     require_admin(Req);
+authorize_request_int(#httpd{path_parts=[_DbName, <<"_purge">>]}=Req) ->
+    require_admin(Req);
+authorize_request_int(#httpd{path_parts=[_DbName, <<"_purged_infos_limit">>]}=Req) ->
+    require_admin(Req);
 authorize_request_int(#httpd{path_parts=[_DbName|_]}=Req) ->
     db_authorization_check(Req).
 
diff --git a/src/chttpd/test/chttpd_security_tests.erl b/src/chttpd/test/chttpd_security_tests.erl
index 12a53acf2..955b4ff01 100644
--- a/src/chttpd/test/chttpd_security_tests.erl
+++ b/src/chttpd/test/chttpd_security_tests.erl
@@ -110,7 +110,13 @@ all_test_() ->
                     fun should_allow_admin_view_compaction/1,
                     fun should_disallow_anonymous_view_compaction/1,
                     fun should_allow_admin_db_view_cleanup/1,
-                    fun should_disallow_anonymous_db_view_cleanup/1
+                    fun should_disallow_anonymous_db_view_cleanup/1,
+                    fun should_allow_admin_purge/1,
+                    fun should_disallow_anonymous_purge/1,
+                    fun should_disallow_db_member_purge/1,
+                    fun should_allow_admin_purged_infos_limit/1,
+                    fun should_disallow_anonymous_purged_infos_limit/1,
+                    fun should_disallow_db_member_purged_infos_limit/1
                 ]
             }
         }
@@ -228,6 +234,59 @@ should_disallow_anonymous_db_view_cleanup([Url,_UsersUrl]) ->
     ErrType = couch_util:get_value(<<"error">>, InnerJson),
     ?_assertEqual(<<"unauthorized">>, ErrType).
 
+should_allow_admin_purge([Url,_UsersUrl]) ->
+    ?_assertEqual(null,
+        begin
+            IdsRevs = "{}",
+            {ok, _, _, ResultBody} = test_request:post(Url ++ "/_purge",
+                [?CONTENT_JSON, ?AUTH], IdsRevs),
+            ResultJson = ?JSON_DECODE(ResultBody),
+            {InnerJson} = ResultJson,
+            couch_util:get_value(<<"purge_seq">>, InnerJson, undefined)
+        end).
+
+should_disallow_anonymous_purge([Url,_UsersUrl]) ->
+    {ok, _, _, ResultBody} = test_request:post(Url ++ "/_purge",
+        [?CONTENT_JSON], ""),
+    ResultJson = ?JSON_DECODE(ResultBody),
+    {InnerJson} = ResultJson,
+    ErrType = couch_util:get_value(<<"error">>, InnerJson),
+    ?_assertEqual(<<"unauthorized">>, ErrType).
+
+should_disallow_db_member_purge([Url,_UsersUrl]) ->
+    {ok, _, _, ResultBody} = test_request:post(Url ++ "/_purge",
+        [?CONTENT_JSON, ?TEST_MEMBER_AUTH], ""),
+    ResultJson = ?JSON_DECODE(ResultBody),
+    {InnerJson} = ResultJson,
+    ErrType = couch_util:get_value(<<"error">>, InnerJson),
+    ?_assertEqual(<<"unauthorized">>,ErrType).
+
+should_allow_admin_purged_infos_limit([Url,_UsersUrl]) ->
+    ?_assertEqual(true,
+        begin
+            {ok, _, _, ResultBody} = test_request:put(Url
+                ++ "/_purged_infos_limit/", [?CONTENT_JSON, ?AUTH], "2"),
+            ResultJson = ?JSON_DECODE(ResultBody),
+            {InnerJson} = ResultJson,
+            couch_util:get_value(<<"ok">>, InnerJson, undefined)
+        end).
+
+should_disallow_anonymous_purged_infos_limit([Url,_UsersUrl]) ->
+    {ok, _, _, ResultBody} = test_request:put(Url ++ "/_purged_infos_limit/",
+        [?CONTENT_JSON, ?TEST_MEMBER_AUTH], "2"),
+    ResultJson = ?JSON_DECODE(ResultBody),
+    {InnerJson} = ResultJson,
+    ErrType = couch_util:get_value(<<"error">>, InnerJson),
+    ?_assertEqual(<<"unauthorized">>, ErrType).
+
+should_disallow_db_member_purged_infos_limit([Url,_UsersUrl]) ->
+    {ok, _, _, ResultBody} = test_request:put(Url ++ "/_purged_infos_limit/",
+        [?CONTENT_JSON, ?TEST_MEMBER_AUTH], "2"),
+    ResultJson = ?JSON_DECODE(ResultBody),
+    {InnerJson} = ResultJson,
+    ErrType = couch_util:get_value(<<"error">>, InnerJson),
+    ?_assertEqual(<<"unauthorized">>,ErrType).
+
 should_return_ok_for_sec_obj_with_roles([Url,_UsersUrl]) ->
     SecurityUrl = lists:concat([Url, "/_security"]),
     SecurityProperties = [
author	jiangph <jiangph@cn.ibm.com>	2019-01-28 10:43:34 +0800
committer	jiangph <jiangph@cn.ibm.com>	2019-01-29 08:12:39 +0800
commit	13534500a2704240cb0d1d1b3063f7fbf6f386ed (patch)
tree	ac1a7c1fa8422a4140d174379b751d7a40375fa4
parent	edcb37288bc2043d8c4d748f4426b6f8fd9d09af (diff)
download	couchdb-restrict-purge-admin.tar.gz