1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
// Licensed under the Apache License, Version 2.0 (the "License"); you may not
// use this file except in compliance with the License. You may obtain a copy
// of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
// License for the specific language governing permissions and limitations under
// the License.
couchTests.reader_acl = function(debug) {
// this tests read access control
var usersDb = new CouchDB("test_suite_users", {"X-Couch-Full-Commit":"false"});
var secretDb = new CouchDB("test_suite_db", {"X-Couch-Full-Commit":"false"});
function testFun() {
try {
usersDb.deleteDb();
usersDb.createDb();
secretDb.deleteDb();
secretDb.createDb();
// create a user with top-secret-clearance
var jchrisUserDoc = CouchDB.prepareUserDoc({
name: "jchris@apache.org",
roles : ["top-secret"]
}, "funnybone");
T(usersDb.save(jchrisUserDoc).ok);
T(CouchDB.session().userCtx.name == null);
// set secret db to be read controlled
T(secretDb.save({_id:"baz",foo:"bar"}).ok);
T(secretDb.open("baz").foo == "bar");
T(secretDb.setDbProperty("_readers", {
roles : ["super-secret-club"],
names : ["joe","barb"]}).ok);
// can't read it as jchris
T(CouchDB.login("jchris@apache.org", "funnybone").ok);
T(CouchDB.session().userCtx.name == "jchris@apache.org");
try {
secretDb.open("baz");
T(false && "can't open a doc from a secret db") ;
} catch(e) {
T(true)
}
CouchDB.logout();
// make top-secret an admin
T(secretDb.setDbProperty("_admins", {
roles : ["top-secret"],
names : []}).ok);
T(CouchDB.login("jchris@apache.org", "funnybone").ok);
T(secretDb.open("baz").foo == "bar");
CouchDB.logout();
T(secretDb.setDbProperty("_admins", {
roles : [],
names : []}).ok);
// admin now adds the top-secret role to the db's readers
T(CouchDB.session().userCtx.roles.indexOf("_admin") != -1);
T(secretDb.setDbProperty("_readers", {
roles : ["super-secret-club", "top-secret"],
names : ["joe","barb"]}).ok);
// now top-secret users can read it
T(secretDb.open("baz").foo == "bar");
T(CouchDB.login("jchris@apache.org", "funnybone").ok);
T(secretDb.open("baz").foo == "bar");
CouchDB.logout();
// can't set non string reader names or roles
try {
secretDb.setDbProperty("_readers", {
roles : ["super-secret-club", {"top-secret":"awesome"}],
names : ["joe","barb"]});
T(false && "only string roles");
} catch (e) {}
try {
secretDb.setDbProperty("_readers", {
roles : ["super-secret-club", "top-secret"],
names : ["joe",22]});
T(false && "only string names");
} catch (e) {}
try {
secretDb.setDbProperty("_readers", {
roles : ["super-secret-club", "top-secret"],
names : "joe"
});
T(false && "only lists of names");
} catch (e) {}
} finally {
CouchDB.logout();
}
}
run_on_modified_server(
[{section: "httpd",
key: "authentication_handlers",
value: "{couch_httpd_auth, cookie_authentication_handler}, {couch_httpd_auth, default_authentication_handler}"},
{section: "couch_httpd_auth",
key: "authentication_db", value: "test_suite_users"}],
testFun
);
}
|