From ee8a76e1cad33831448dbf12a394c51aa65230f4 Mon Sep 17 00:00:00 2001
From: John Christopher Anderson <jchris@apache.org>
Date: Mon, 1 Feb 2010 22:51:15 +0000
Subject: Database-level security.

This patch builds on the DB-admins feature to store lists of database admin and reader names and roles, as well as a security object which can be used for configuration in validation functions.

git-svn-id: https://svn.apache.org/repos/asf/couchdb/trunk@905436 13f79535-47bb-0310-9956-ffa450edef68
---
 share/www/script/test/reader_acl.js          | 95 ++++++++++++++++++++++++++++
 share/www/script/test/security_validation.js | 38 +++++++++--
 2 files changed, 129 insertions(+), 4 deletions(-)
 create mode 100644 share/www/script/test/reader_acl.js

(limited to 'share/www/script/test')

diff --git a/share/www/script/test/reader_acl.js b/share/www/script/test/reader_acl.js
new file mode 100644
index 00000000..58f3d001
--- /dev/null
+++ b/share/www/script/test/reader_acl.js
@@ -0,0 +1,95 @@
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not
+// use this file except in compliance with the License.  You may obtain a copy
+// of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
+// License for the specific language governing permissions and limitations under
+// the License.
+
+couchTests.reader_acl = function(debug) {
+  // this tests read access control
+
+  var usersDb = new CouchDB("test_suite_users", {"X-Couch-Full-Commit":"false"});
+  var secretDb = new CouchDB("test_suite_db", {"X-Couch-Full-Commit":"false"});
+  function testFun() {
+    try {
+      usersDb.deleteDb();
+      usersDb.createDb();
+      secretDb.deleteDb();
+      secretDb.createDb();
+
+      // create a user with top-secret-clearance
+      var jchrisUserDoc = CouchDB.prepareUserDoc({
+        name: "jchris@apache.org",
+        roles : ["top-secret"]
+      }, "funnybone");
+      T(usersDb.save(jchrisUserDoc).ok);
+
+      T(CouchDB.session().userCtx.name == null);
+
+      // set secret db to be read controlled
+      T(secretDb.save({_id:"baz",foo:"bar"}).ok);
+      T(secretDb.open("baz").foo == "bar");
+
+      T(secretDb.setDbProperty("_readers", {
+        roles : ["super-secret-club"],
+        names : ["joe","barb"]}).ok);
+      // can't read it as jchris
+      T(CouchDB.login("jchris@apache.org", "funnybone").ok);
+      T(CouchDB.session().userCtx.name == "jchris@apache.org");
+
+      try {
+        secretDb.open("baz");
+        T(false && "can't open a doc from a secret db") ;
+      } catch(e) {
+        T(true)
+      }
+
+      CouchDB.logout();
+
+      // admin now adds the top-secret role to the db's readers
+      T(CouchDB.session().userCtx.roles.indexOf("_admin") != -1);
+
+      T(secretDb.setDbProperty("_readers", {
+        roles : ["super-secret-club", "top-secret"],
+        names : ["joe","barb"]}).ok);
+
+      // now top-secret users can read it
+      T(secretDb.open("baz").foo == "bar");
+      T(CouchDB.login("jchris@apache.org", "funnybone").ok);
+      T(secretDb.open("baz").foo == "bar");
+      
+      CouchDB.logout();
+
+      // can't set non string reader names or roles
+      try {
+        T(!secretDb.setDbProperty("_readers", {
+          roles : ["super-secret-club", {"top-secret":"awesome"}],
+          names : ["joe","barb"]}).ok);      
+        T(false && "only string roles");
+      } catch (e) {}
+
+      try {
+      T(!secretDb.setDbProperty("_readers", {
+        roles : ["super-secret-club", "top-secret"],
+        names : ["joe",22]}).ok);
+        T(false && "only string names");
+        } catch (e) {}
+    } finally {
+      CouchDB.logout();
+    }
+  }
+
+  run_on_modified_server(
+    [{section: "httpd",
+      key: "authentication_handlers",
+      value: "{couch_httpd_auth, cookie_authentication_handler}, {couch_httpd_auth, default_authentication_handler}"},
+     {section: "couch_httpd_auth",
+      key: "authentication_db", value: "test_suite_users"}],
+    testFun
+  );
+}
diff --git a/share/www/script/test/security_validation.js b/share/www/script/test/security_validation.js
index 43968426..9ecb9ba0 100644
--- a/share/www/script/test/security_validation.js
+++ b/share/www/script/test/security_validation.js
@@ -69,7 +69,13 @@ couchTests.security_validation = function(debug) {
       var designDoc = {
         _id:"_design/test",
         language: "javascript",
-        validate_doc_update: "(" + (function (newDoc, oldDoc, userCtx) {
+        validate_doc_update: "(" + (function (newDoc, oldDoc, userCtx, secObj) {
+          if (secObj.admin_override) {
+            if (userCtx.roles.indexOf('_admin') != -1) {
+              // user is admin, they can do anything
+              return true;
+            }
+          }
           // docs should have an author field.
           if (!newDoc._deleted && !newDoc.author) {
             throw {forbidden:
@@ -99,11 +105,11 @@ couchTests.security_validation = function(debug) {
       }
 
       // set user as the admin
-      T(db.setDbProperty("_admins", ["Damien Katz"]).ok);
+      T(db.setDbProperty("_admins", {names : ["Damien Katz"]}).ok);
 
       T(userDb.save(designDoc).ok);
 
-      // test the _whoami endpoint
+      // test the _session API
       var resp = userDb.request("GET", "/_session");
       var user = JSON.parse(resp.responseText).userCtx;
       T(user.name == "Damien Katz");
@@ -158,6 +164,31 @@ couchTests.security_validation = function(debug) {
         T(e.error == "unauthorized");
         T(userDb.last_req.status == 401);
       }
+      
+      // admin must save with author field unless admin override
+      var resp = db.request("GET", "/_session");
+      var user = JSON.parse(resp.responseText).userCtx;
+      T(user.name == null);
+      // test that we are admin
+      TEquals(user.roles, ["_admin"]);
+      
+      // can't save the doc even though we are admin
+      var doc = db.open("testdoc");
+      doc.foo=3;
+      try {
+        db.save(doc);
+        T(false && "Can't get here. Should have thrown an error 3");
+      } catch (e) {
+        T(e.error == "unauthorized");
+        T(db.last_req.status == 401);
+      }
+
+      // now turn on admin override
+      T(db.setDbProperty("_security", {admin_override : true}).ok);
+      T(db.save(doc).ok);
+
+      // go back to normal
+      T(db.setDbProperty("_security", {admin_override : false}).ok);
 
       // Now delete document
       T(user2Db.deleteDoc(doc).ok);
@@ -188,7 +219,6 @@ couchTests.security_validation = function(debug) {
       T(db.open("booboo") == null);
       T(db.open("foofoo") == null);
 
-
       // Now test replication
       var AuthHeaders = {"WWW-Authenticate": "X-Couch-Test-Auth Christopher Lenz:dog food"};
       var host = CouchDB.host;
-- 
cgit v1.2.3