summaryrefslogtreecommitdiff
path: root/share/www/script/test/reader_acl.js
blob: a5fc6a1a0b2178c854daf96cc616f2a3e3843357 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
// Licensed under the Apache License, Version 2.0 (the "License"); you may not
// use this file except in compliance with the License.  You may obtain a copy
// of the License at
//
//   http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
// License for the specific language governing permissions and limitations under
// the License.

couchTests.reader_acl = function(debug) {
  // this tests read access control

  var usersDb = new CouchDB("test_suite_users", {"X-Couch-Full-Commit":"false"});
  var secretDb = new CouchDB("test_suite_db", {"X-Couch-Full-Commit":"false"});
  function testFun() {
    try {
      usersDb.deleteDb();
      usersDb.createDb();
      secretDb.deleteDb();
      secretDb.createDb();

      // create a user with top-secret-clearance
      var jchrisUserDoc = CouchDB.prepareUserDoc({
        name: "jchris@apache.org",
        roles : ["top-secret"]
      }, "funnybone");
      T(usersDb.save(jchrisUserDoc).ok);

      T(CouchDB.session().userCtx.name == null);

      // set secret db to be read controlled
      T(secretDb.save({_id:"baz",foo:"bar"}).ok);
      T(secretDb.open("baz").foo == "bar");

      T(secretDb.setDbProperty("_readers", {
        roles : ["super-secret-club"],
        names : ["joe","barb"]}).ok);
      // can't read it as jchris
      T(CouchDB.login("jchris@apache.org", "funnybone").ok);
      T(CouchDB.session().userCtx.name == "jchris@apache.org");

      try {
        secretDb.open("baz");
        T(false && "can't open a doc from a secret db") ;
      } catch(e) {
        T(true)
      }

      CouchDB.logout();
      
      // make top-secret an admin
      T(secretDb.setDbProperty("_admins", {
        roles : ["top-secret"],
        names : []}).ok);

      T(CouchDB.login("jchris@apache.org", "funnybone").ok);

      T(secretDb.open("baz").foo == "bar");

      CouchDB.logout();

      T(secretDb.setDbProperty("_admins", {
        roles : [],
        names : []}).ok);

      // admin now adds the top-secret role to the db's readers
      T(CouchDB.session().userCtx.roles.indexOf("_admin") != -1);

      T(secretDb.setDbProperty("_readers", {
        roles : ["super-secret-club", "top-secret"],
        names : ["joe","barb"]}).ok);

      // now top-secret users can read it
      T(secretDb.open("baz").foo == "bar");
      T(CouchDB.login("jchris@apache.org", "funnybone").ok);
      T(secretDb.open("baz").foo == "bar");
      
      CouchDB.logout();

      // can't set non string reader names or roles
      try {
        secretDb.setDbProperty("_readers", {
          roles : ["super-secret-club", {"top-secret":"awesome"}],
          names : ["joe","barb"]});
        T(false && "only string roles");
      } catch (e) {}

      try {
        secretDb.setDbProperty("_readers", {
          roles : ["super-secret-club", "top-secret"],
          names : ["joe",22]});
        T(false && "only string names");
      } catch (e) {}
      
      try {
        secretDb.setDbProperty("_readers", {
          roles : ["super-secret-club", "top-secret"],
          names : "joe"
        });
        T(false && "only lists of names");
      } catch (e) {}
    } finally {
      CouchDB.logout();
    }
  }

  run_on_modified_server(
    [{section: "httpd",
      key: "authentication_handlers",
      value: "{couch_httpd_auth, cookie_authentication_handler}, {couch_httpd_auth, default_authentication_handler}"},
     {section: "couch_httpd_auth",
      key: "authentication_db", value: "test_suite_users"}],
    testFun
  );
}