diff options
Diffstat (limited to 'test/elixir/test/reader_acl_test.exs')
-rw-r--r-- | test/elixir/test/reader_acl_test.exs | 255 |
1 files changed, 0 insertions, 255 deletions
diff --git a/test/elixir/test/reader_acl_test.exs b/test/elixir/test/reader_acl_test.exs deleted file mode 100644 index 3cbd5c886..000000000 --- a/test/elixir/test/reader_acl_test.exs +++ /dev/null @@ -1,255 +0,0 @@ -defmodule ReaderACLTest do - use CouchTestCase - - @moduletag :authentication - @moduletag kind: :single_node - - @users_db_name "custom-users" - @password "funnybone" - - @moduletag config: [ - { - "chttpd_auth", - "authentication_db", - @users_db_name - }, - { - "couch_httpd_auth", - "authentication_db", - @users_db_name - } - ] - setup do - # Create db if not exists - Couch.put("/#{@users_db_name}") - - # create a user with top-secret-clearance - user_doc = - prepare_user_doc([ - {:name, "bond@apache.org"}, - {:password, @password}, - {:roles, ["top-secret"]} - ]) - - {:ok, _} = create_doc(@users_db_name, user_doc) - - # create a user with top-secret-clearance - user_doc = - prepare_user_doc([ - {:name, "juanjo@apache.org"}, - {:password, @password} - ]) - - {:ok, _} = create_doc(@users_db_name, user_doc) - - on_exit(&tear_down/0) - - :ok - end - - defp tear_down do - delete_db(@users_db_name) - end - - defp login(user, password) do - sess = Couch.login(user, password) - assert sess.cookie, "Login correct is expected" - sess - end - - defp logout(session) do - assert Couch.Session.logout(session).body["ok"] - end - - defp open_as(db_name, doc_id, options) do - use_session = Keyword.get(options, :use_session) - user = Keyword.get(options, :user) - expect_response = Keyword.get(options, :expect_response, 200) - expect_message = Keyword.get(options, :error_message) - - session = use_session || login(user, @password) - - resp = - Couch.Session.get( - session, - "/#{db_name}/#{URI.encode(doc_id)}" - ) - - if use_session == nil do - logout(session) - end - - assert resp.status_code == expect_response - - if expect_message != nil do - assert resp.body["error"] == expect_message - end - - resp.body - end - - defp set_security(db_name, security, expect_response \\ 200) do - resp = Couch.put("/#{db_name}/_security", body: security) - assert resp.status_code == expect_response - end - - @tag :with_db - test "unrestricted db can be read", context do - db_name = context[:db_name] - - doc = %{_id: "baz", foo: "bar"} - {:ok, _} = create_doc(db_name, doc) - - # any user can read unrestricted db - open_as(db_name, "baz", user: "juanjo@apache.org") - open_as(db_name, "baz", user: "bond@apache.org") - end - - @tag :with_db - test "restricted db can be read by authorized users", context do - db_name = context[:db_name] - - doc = %{_id: "baz", foo: "bar"} - {:ok, _} = create_doc(db_name, doc) - - security = %{ - members: %{ - roles: ["super-secret-club"], - names: ["joe", "barb"] - } - } - - set_security(db_name, security) - - # can't read it as bond is missing the needed role - open_as(db_name, "baz", user: "bond@apache.org", expect_response: 403) - - # make anyone with the top-secret role an admin - # db admins are automatically members - security = %{ - admins: %{ - roles: ["top-secret"], - names: [] - }, - members: %{ - roles: ["super-secret-club"], - names: ["joe", "barb"] - } - } - - set_security(db_name, security) - - # db admin can read - open_as(db_name, "baz", user: "bond@apache.org") - - # admin now adds the top-secret role to the db's members - # and removes db-admins - security = %{ - admins: %{ - roles: [], - names: [] - }, - members: %{ - roles: ["super-secret-club", "top-secret"], - names: ["joe", "barb"] - } - } - - set_security(db_name, security) - - # server _admin can always read - resp = Couch.get("/#{db_name}/baz") - assert resp.status_code == 200 - - open_as(db_name, "baz", user: "bond@apache.org") - end - - @tag :with_db - test "works with readers (backwards compat with 1.0)", context do - db_name = context[:db_name] - - doc = %{_id: "baz", foo: "bar"} - {:ok, _} = create_doc(db_name, doc) - - security = %{ - admins: %{ - roles: [], - names: [] - }, - readers: %{ - roles: ["super-secret-club", "top-secret"], - names: ["joe", "barb"] - } - } - - set_security(db_name, security) - open_as(db_name, "baz", user: "bond@apache.org") - end - - @tag :with_db - test "can't set non string reader names or roles", context do - db_name = context[:db_name] - - security = %{ - members: %{ - roles: ["super-secret-club", %{"top-secret": "awesome"}], - names: ["joe", "barb"] - } - } - - set_security(db_name, security, 500) - - security = %{ - members: %{ - roles: ["super-secret-club", "top-secret"], - names: ["joe", 22] - } - } - - set_security(db_name, security, 500) - - security = %{ - members: %{ - roles: ["super-secret-club", "top-secret"], - names: "joe" - } - } - - set_security(db_name, security, 500) - end - - @tag :with_db - test "members can query views", context do - db_name = context[:db_name] - - doc = %{_id: "baz", foo: "bar"} - {:ok, _} = create_doc(db_name, doc) - - security = %{ - admins: %{ - roles: [], - names: [] - }, - members: %{ - roles: ["super-secret-club", "top-secret"], - names: ["joe", "barb"] - } - } - - set_security(db_name, security) - - view = %{ - _id: "_design/foo", - views: %{ - bar: %{ - map: "function(doc){emit(null, null)}" - } - } - } - - {:ok, _} = create_doc(db_name, view) - - # members can query views - open_as(db_name, "_design/foo/_view/bar", user: "bond@apache.org") - end -end |