From ee8a76e1cad33831448dbf12a394c51aa65230f4 Mon Sep 17 00:00:00 2001 From: John Christopher Anderson Date: Mon, 1 Feb 2010 22:51:15 +0000 Subject: Database-level security. This patch builds on the DB-admins feature to store lists of database admin and reader names and roles, as well as a security object which can be used for configuration in validation functions. git-svn-id: https://svn.apache.org/repos/asf/couchdb/trunk@905436 13f79535-47bb-0310-9956-ffa450edef68 --- share/Makefile.am | 2 + share/www/database.html | 2 + share/www/dialog/_database_security.html | 50 +++++++++++++++ share/www/script/couch_tests.js | 1 + share/www/script/futon.browse.js | 26 ++++++++ share/www/script/jquery.couch.js | 19 ++++++ share/www/script/test/reader_acl.js | 95 ++++++++++++++++++++++++++++ share/www/script/test/security_validation.js | 38 +++++++++-- share/www/style/layout.css | 1 + 9 files changed, 230 insertions(+), 4 deletions(-) create mode 100644 share/www/dialog/_database_security.html create mode 100644 share/www/script/test/reader_acl.js (limited to 'share') diff --git a/share/Makefile.am b/share/Makefile.am index a66e065a4..0288ada6 100644 --- a/share/Makefile.am +++ b/share/Makefile.am @@ -48,6 +48,7 @@ nobase_dist_localdata_DATA = \ www/dialog/_create_database.html \ www/dialog/_delete_database.html \ www/dialog/_delete_document.html \ + www/dialog/_database_security.html \ www/dialog/_save_view_as.html \ www/dialog/_upload_attachment.html \ www/document.html \ @@ -134,6 +135,7 @@ nobase_dist_localdata_DATA = \ www/script/test/multiple_rows.js \ www/script/test/oauth.js \ www/script/test/purge.js \ + www/script/test/reader_acl.js \ www/script/test/recreate_doc.js \ www/script/test/reduce.js \ www/script/test/reduce_builtin.js \ diff --git a/share/www/database.html b/share/www/database.html index ea15a66f..7bc04c11 100644 --- a/share/www/database.html +++ b/share/www/database.html @@ -117,6 +117,7 @@ specific language governing permissions and limitations under the License. $("#toolbar button.add").click(page.newDocument); $("#toolbar button.compact").click(page.compactAndCleanup); $("#toolbar button.delete").click(page.deleteDatabase); + $("#toolbar button.security").click(page.databaseSecurity); $('#jumpto input').suggest(function(text, callback) { page.db.allDocs({ @@ -161,6 +162,7 @@ specific language governing permissions and limitations under the License. diff --git a/share/www/dialog/_database_security.html b/share/www/dialog/_database_security.html new file mode 100644 index 00000000..71771f9e --- /dev/null +++ b/share/www/dialog/_database_security.html @@ -0,0 +1,50 @@ + +
+

Admins and Readers

+

+ Each database contains lists of admins and readers. + Admins and readers are each defined by names and roles, which are lists of strings. For example, if the readers is defined by names ["jane", "mike"] and roles ["bbq"] then anyone with a "bbq" role can read the database. Yummy! +

+
+

Admins

+

Database admins can update design documents and edit the readers list.

+ + + + + + + +
+
+
+

Readers

+

Database readers can access the database. If no readers are defined, the database is public. When readers are defined, only they may read or write to the database.

+ + + + + + + +
+ +
+
+ + +
+
diff --git a/share/www/script/couch_tests.js b/share/www/script/couch_tests.js index 6f1acf83..04253c58 100644 --- a/share/www/script/couch_tests.js +++ b/share/www/script/couch_tests.js @@ -63,6 +63,7 @@ loadScript("script/oauth.js"); loadScript("script/sha1.js"); loadTest("oauth.js"); loadTest("purge.js"); +loadTest("reader_acl.js"); loadTest("recreate_doc.js"); loadTest("reduce.js"); loadTest("reduce_builtin.js"); diff --git a/share/www/script/futon.browse.js b/share/www/script/futon.browse.js index 31e979bb..ade16b20 100644 --- a/share/www/script/futon.browse.js +++ b/share/www/script/futon.browse.js @@ -178,6 +178,32 @@ } }); } + + this.databaseSecurity = function() { + $.showDialog("dialog/_database_security.html", { + load : function(d) { + ["admin", "reader"].forEach(function(key) { + db.getDbProperty("_"+key+"s", { + success : function(r) { + $("input[name="+key+"_names]",d).val(JSON.stringify(r.names||[])); + $("input[name="+key+"_roles]",d).val(JSON.stringify(r.roles||[])); + } + }); + }); + }, + // maybe this should be 2 forms + submit: function(data, callback) { + ["admin", "reader"].forEach(function(key) { + var new_value = { + names : JSON.parse(data[key+"_names"]), + roles : JSON.parse(data[key+"_roles"]) + }; + db.setDbProperty("_"+key+"s", new_value); + }); + callback(); + } + }); + } this.populateViewEditor = function() { if (viewName.match(/^_design\//)) { diff --git a/share/www/script/jquery.couch.js b/share/www/script/jquery.couch.js index 0dcadc99..7eeaefc7 100644 --- a/share/www/script/jquery.couch.js +++ b/share/www/script/jquery.couch.js @@ -371,6 +371,25 @@ }, options, "An error occurred accessing the view" ); + }, + getDbProperty: function(propName, options, ajaxOptions) { + ajax({url: this.uri + propName + encodeOptions(options)}, + options, + "The property could not be retrieved", + ajaxOptions + ); + }, + + setDbProperty: function(propName, propValue, options, ajaxOptions) { + ajax({ + type: "PUT", + url: this.uri + propName + encodeOptions(options), + data : JSON.stringify(propValue) + }, + options, + "The property could not be updated", + ajaxOptions + ); } }; }, diff --git a/share/www/script/test/reader_acl.js b/share/www/script/test/reader_acl.js new file mode 100644 index 00000000..58f3d001 --- /dev/null +++ b/share/www/script/test/reader_acl.js @@ -0,0 +1,95 @@ +// Licensed under the Apache License, Version 2.0 (the "License"); you may not +// use this file except in compliance with the License. You may obtain a copy +// of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +// License for the specific language governing permissions and limitations under +// the License. + +couchTests.reader_acl = function(debug) { + // this tests read access control + + var usersDb = new CouchDB("test_suite_users", {"X-Couch-Full-Commit":"false"}); + var secretDb = new CouchDB("test_suite_db", {"X-Couch-Full-Commit":"false"}); + function testFun() { + try { + usersDb.deleteDb(); + usersDb.createDb(); + secretDb.deleteDb(); + secretDb.createDb(); + + // create a user with top-secret-clearance + var jchrisUserDoc = CouchDB.prepareUserDoc({ + name: "jchris@apache.org", + roles : ["top-secret"] + }, "funnybone"); + T(usersDb.save(jchrisUserDoc).ok); + + T(CouchDB.session().userCtx.name == null); + + // set secret db to be read controlled + T(secretDb.save({_id:"baz",foo:"bar"}).ok); + T(secretDb.open("baz").foo == "bar"); + + T(secretDb.setDbProperty("_readers", { + roles : ["super-secret-club"], + names : ["joe","barb"]}).ok); + // can't read it as jchris + T(CouchDB.login("jchris@apache.org", "funnybone").ok); + T(CouchDB.session().userCtx.name == "jchris@apache.org"); + + try { + secretDb.open("baz"); + T(false && "can't open a doc from a secret db") ; + } catch(e) { + T(true) + } + + CouchDB.logout(); + + // admin now adds the top-secret role to the db's readers + T(CouchDB.session().userCtx.roles.indexOf("_admin") != -1); + + T(secretDb.setDbProperty("_readers", { + roles : ["super-secret-club", "top-secret"], + names : ["joe","barb"]}).ok); + + // now top-secret users can read it + T(secretDb.open("baz").foo == "bar"); + T(CouchDB.login("jchris@apache.org", "funnybone").ok); + T(secretDb.open("baz").foo == "bar"); + + CouchDB.logout(); + + // can't set non string reader names or roles + try { + T(!secretDb.setDbProperty("_readers", { + roles : ["super-secret-club", {"top-secret":"awesome"}], + names : ["joe","barb"]}).ok); + T(false && "only string roles"); + } catch (e) {} + + try { + T(!secretDb.setDbProperty("_readers", { + roles : ["super-secret-club", "top-secret"], + names : ["joe",22]}).ok); + T(false && "only string names"); + } catch (e) {} + } finally { + CouchDB.logout(); + } + } + + run_on_modified_server( + [{section: "httpd", + key: "authentication_handlers", + value: "{couch_httpd_auth, cookie_authentication_handler}, {couch_httpd_auth, default_authentication_handler}"}, + {section: "couch_httpd_auth", + key: "authentication_db", value: "test_suite_users"}], + testFun + ); +} diff --git a/share/www/script/test/security_validation.js b/share/www/script/test/security_validation.js index 43968426..9ecb9ba0 100644 --- a/share/www/script/test/security_validation.js +++ b/share/www/script/test/security_validation.js @@ -69,7 +69,13 @@ couchTests.security_validation = function(debug) { var designDoc = { _id:"_design/test", language: "javascript", - validate_doc_update: "(" + (function (newDoc, oldDoc, userCtx) { + validate_doc_update: "(" + (function (newDoc, oldDoc, userCtx, secObj) { + if (secObj.admin_override) { + if (userCtx.roles.indexOf('_admin') != -1) { + // user is admin, they can do anything + return true; + } + } // docs should have an author field. if (!newDoc._deleted && !newDoc.author) { throw {forbidden: @@ -99,11 +105,11 @@ couchTests.security_validation = function(debug) { } // set user as the admin - T(db.setDbProperty("_admins", ["Damien Katz"]).ok); + T(db.setDbProperty("_admins", {names : ["Damien Katz"]}).ok); T(userDb.save(designDoc).ok); - // test the _whoami endpoint + // test the _session API var resp = userDb.request("GET", "/_session"); var user = JSON.parse(resp.responseText).userCtx; T(user.name == "Damien Katz"); @@ -158,6 +164,31 @@ couchTests.security_validation = function(debug) { T(e.error == "unauthorized"); T(userDb.last_req.status == 401); } + + // admin must save with author field unless admin override + var resp = db.request("GET", "/_session"); + var user = JSON.parse(resp.responseText).userCtx; + T(user.name == null); + // test that we are admin + TEquals(user.roles, ["_admin"]); + + // can't save the doc even though we are admin + var doc = db.open("testdoc"); + doc.foo=3; + try { + db.save(doc); + T(false && "Can't get here. Should have thrown an error 3"); + } catch (e) { + T(e.error == "unauthorized"); + T(db.last_req.status == 401); + } + + // now turn on admin override + T(db.setDbProperty("_security", {admin_override : true}).ok); + T(db.save(doc).ok); + + // go back to normal + T(db.setDbProperty("_security", {admin_override : false}).ok); // Now delete document T(user2Db.deleteDoc(doc).ok); @@ -188,7 +219,6 @@ couchTests.security_validation = function(debug) { T(db.open("booboo") == null); T(db.open("foofoo") == null); - // Now test replication var AuthHeaders = {"WWW-Authenticate": "X-Couch-Test-Auth Christopher Lenz:dog food"}; var host = CouchDB.host; diff --git a/share/www/style/layout.css b/share/www/style/layout.css index d3a43db3..30c21824 100644 --- a/share/www/style/layout.css +++ b/share/www/style/layout.css @@ -236,6 +236,7 @@ body.fullwidth #wrap { margin-right: 0; } #toolbar button:hover { background-position: 2px -30px; color: #000; } #toolbar button:active { background-position: 2px -62px; color: #000; } #toolbar button.add { background-image: url(../image/add.png); } +#toolbar button.security { background-image: url(../image/compact.png); } #toolbar button.compact { background-image: url(../image/compact.png); } #toolbar button.delete { background-image: url(../image/delete.png); } #toolbar button.load { background-image: url(../image/load.png); } -- cgit v1.2.3