testSecurity.py 4.73 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124
# -*- coding: utf-8 -*-
##############################################################################
#
# Copyright (c) 2013 Nexedi SA and Contributors. All Rights Reserved.
#
# WARNING: This program as such is intended to be used by professional
# programmers who take the whole responsibility of assessing all potential
# consequences resulting from its eventual inadequacies and bugs
# End users who are looking for a ready-to-use solution with commercial
# guarantees and support are strongly advised to contract a Free Software
# Service Company
#
# This program is Free Software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
##############################################################################

import os
import unittest
from types import MethodType
from Acquisition import aq_base
from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase

# You can invoke security tests in your favourite collection of business templates
# by using TestSecurityMixin like the following :
#
# from Products.ERP5.tests.testERP5Security import TestSecurityMixin
# class TestMySecurity(TestSecurityMixin):
#   def getBusinessTemplateList(self):
#     return (...)

class TestSecurityMixin(ERP5TypeTestCase):

  def _prepareDocumentList(self):
    if getattr(self, '_prepareDocumentList_finished', None):
      return
    portal_types = self.portal.portal_types
    portal_type_dict = {}
    def createSubObject(obj):
      portal_type = obj.getPortalType()
      type_info = getattr(portal_types, portal_type, None)
      if type_info is None:
        return
      for i in type_info.getTypeAllowedContentTypeList():
        if i in portal_type_dict:
          continue
        portal_type_dict[i] = True
        try:
          o = obj.newContent(portal_type=i, created_by_builder=True)
          createSubObject(o)
        except:
          pass
    for i in self.portal.objectValues():
      if getattr(aq_base(i), 'getPortalType', None) is not None:
        createSubObject(i)
    self._prepareDocumentList_finished = True

  def test_method_protection(self):
    """
    This test will list all implicitly Public methods in any objects in ZODB.
    i.e. those who have a docstring but have no security declaration.
    """
    self._prepareDocumentList()
    white_method_id_list = ['om_icons',]
    app = self.portal.aq_parent
    meta_type_dict = {}
    error_dict = {}
    for idx, obj in app.ZopeFind(app, search_sub=1):
      meta_type = getattr(obj, 'meta_type', None)
      if meta_type is None:
        continue
      if meta_type in meta_type_dict:
        continue
      meta_type_dict[meta_type] = True
      if '__roles__' in obj.__class__.__dict__:
        continue
      method_id_list = [x for x in dir(obj) if callable(getattr(obj, x, None))]
      for method_id in method_id_list:
        if method_id.startswith('_') or method_id in white_method_id_list:
          continue
        method = getattr(obj, method_id)
        if isinstance(method, MethodType) and \
          getattr(method, 'func_name', None) is not None and \
          method.__doc__ and \
          not hasattr(obj, '%s__roles__' % method_id) and \
          method.__module__:
          if method.__module__ == 'Products.ERP5Type.Accessor.WorkflowState' and method.func_code.co_name == 'serialize':
            continue
          func_code = method.func_code
          error_dict[(func_code.co_filename, func_code.co_firstlineno, method_id)] = True
    error_list = error_dict.keys()
    if os.environ.get('erp5_debug_mode', None):
      pass
    else:
      error_list = filter(lambda x:'/erp5/' in x[0], error_list)
    if error_list:
      message = '\nThe following %s methods have a docstring but have no security assertions.\n\t%s' \
                    % (len(error_list), '\n\t'.join(['%s:%s %s' % x for x in sorted(error_list)]))
      self.fail(message)

class TestSecurity(TestSecurityMixin):

  def getTitle(self):
    return "Security Test"

  def getBusinessTemplateList(self):
    from Products.ERP5.tests.testXHTML import TestXHTML
    return TestXHTML.getBusinessTemplateList()

def test_suite():
  suite = unittest.TestSuite()
  suite.addTest(unittest.makeSuite(TestSecurity))
  return suite