1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
# Copyright 2010 Canonical Ltd. This software is licensed under the
# GNU Affero General Public License version 3 (see the file LICENSE).
__metaclass__ = type
import re
from urlparse import (
parse_qs,
urlparse,
)
import transaction
from zope.component import (
getMultiAdapter,
getUtility,
)
from zope.publisher.interfaces import NotFound
from zope.security.interfaces import Unauthorized
from zope.security.management import endInteraction
from canonical.launchpad.interfaces.librarian import (
ILibraryFileAliasWithParent,
)
from canonical.launchpad.testing.pages import LaunchpadWebServiceCaller
from canonical.launchpad.webapp.interfaces import ILaunchBag
from canonical.launchpad.webapp.publisher import RedirectionView
from canonical.launchpad.webapp.servers import LaunchpadTestRequest
from canonical.testing.layers import (
AppServerLayer,
LaunchpadFunctionalLayer,
)
from lazr.restfulclient.errors import NotFound as RestfulNotFound
from lp.bugs.browser.bugattachment import BugAttachmentFileNavigation
from lp.testing import (
launchpadlib_for,
login_person,
TestCaseWithFactory,
ws_object,
)
class TestAccessToBugAttachmentFiles(TestCaseWithFactory):
"""Tests of traversal to and access of files of bug attachments."""
layer = LaunchpadFunctionalLayer
def setUp(self):
super(TestAccessToBugAttachmentFiles, self).setUp()
self.bug_owner = self.factory.makePerson()
getUtility(ILaunchBag).clear()
login_person(self.bug_owner)
self.bug = self.factory.makeBug(owner=self.bug_owner)
self.bugattachment = self.factory.makeBugAttachment(
bug=self.bug, filename='foo.txt', data='file content')
def test_traversal_to_lfa_of_bug_attachment(self):
# Traversing to the URL provided by a ProxiedLibraryFileAlias of a
# bug attachament returns a RedirectionView.
request = LaunchpadTestRequest()
request.setTraversalStack(['foo.txt'])
navigation = BugAttachmentFileNavigation(
self.bugattachment, request)
view = navigation.publishTraverse(request, '+files')
self.assertIsInstance(view, RedirectionView)
def test_traversal_to_lfa_of_bug_attachment_wrong_filename(self):
# If the filename provided in the URL does not match the
# filename of the LibraryFileAlias, a NotFound error is raised.
request = LaunchpadTestRequest()
request.setTraversalStack(['nonsense'])
navigation = BugAttachmentFileNavigation(self.bugattachment, request)
self.assertRaises(
NotFound, navigation.publishTraverse, request, '+files')
def test_access_to_unrestricted_file(self):
# Requests of unrestricted files are redirected to Librarian URLs.
request = LaunchpadTestRequest()
request.setTraversalStack(['foo.txt'])
navigation = BugAttachmentFileNavigation(
self.bugattachment, request)
view = navigation.publishTraverse(request, '+files')
mo = re.match('^http://.*/\d+/foo.txt$', view.target)
self.assertIsNot(None, mo)
def test_access_to_restricted_file(self):
# Requests of restricted files are redirected to librarian URLs
# with tokens.
lfa_with_parent = getMultiAdapter(
(self.bugattachment.libraryfile, self.bugattachment),
ILibraryFileAliasWithParent)
lfa_with_parent.restricted = True
self.bug.setPrivate(True, self.bug_owner)
transaction.commit()
request = LaunchpadTestRequest()
request.setTraversalStack(['foo.txt'])
navigation = BugAttachmentFileNavigation(self.bugattachment, request)
view = navigation.publishTraverse(request, '+files')
mo = re.match(
'^https://.*.restricted.*/\d+/foo.txt\?token=.*$', view.target)
self.assertIsNot(None, mo)
def test_access_to_restricted_file_unauthorized(self):
# If a user cannot access the bug attachment itself, he can neither
# access the restricted Librarian file.
lfa_with_parent = getMultiAdapter(
(self.bugattachment.libraryfile, self.bugattachment),
ILibraryFileAliasWithParent)
lfa_with_parent.restricted = True
self.bug.setPrivate(True, self.bug_owner)
transaction.commit()
user = self.factory.makePerson()
login_person(user)
self.assertRaises(Unauthorized, getattr, self.bugattachment, 'title')
request = LaunchpadTestRequest()
request.setTraversalStack(['foo.txt'])
navigation = BugAttachmentFileNavigation(self.bugattachment, request)
self.assertRaises(
Unauthorized, navigation.publishTraverse, request, '+files')
class TestWebserviceAccessToBugAttachmentFiles(TestCaseWithFactory):
"""Tests access to bug attachments via the webservice."""
layer = AppServerLayer
def setUp(self):
super(TestWebserviceAccessToBugAttachmentFiles, self).setUp()
self.bug_owner = self.factory.makePerson()
getUtility(ILaunchBag).clear()
login_person(self.bug_owner)
self.bug = self.factory.makeBug(owner=self.bug_owner)
self.bugattachment = self.factory.makeBugAttachment(
bug=self.bug, filename='foo.txt', data='file content')
def test_anon_access_to_public_bug_attachment(self):
# Attachments of public bugs can be accessed by anonymous users.
#
# Need to endInteraction() because launchpadlib_for_anonymous() will
# setup a new one.
endInteraction()
launchpad = launchpadlib_for('test', None, version='devel')
ws_bug = ws_object(launchpad, self.bug)
ws_bugattachment = ws_bug.attachments[0]
self.assertEqual(
'file content', ws_bugattachment.data.open().read())
def test_user_access_to_private_bug_attachment(self):
# Users having access to private bugs can also read attachments
# of these bugs.
self.bug.setPrivate(True, self.bug_owner)
other_user = self.factory.makePerson()
launchpad = launchpadlib_for('test', self.bug_owner, version='devel')
ws_bug = ws_object(launchpad, self.bug)
ws_bugattachment = ws_bug.attachments[0]
# The attachment contains a link to a HostedBytes resource;
# the response to a GET request of this URL is a redirect to a
# Librarian URL. We cannot simply access these Librarian URLs
# for restricted Librarian files because the host name used in
# the URLs is different for each file, and our test envireonment
# does not support wildcard DNS, and because the Launchpadlib
# browser automatically follows redirects.
# LaunchpadWebServiceCaller, on the other hand, gives us
# access to a raw HTTPResonse object.
webservice = LaunchpadWebServiceCaller(
'launchpad-library', 'salgado-change-anything')
response = webservice.get(ws_bugattachment.data._wadl_resource._url)
self.assertEqual(303, response.status)
# The Librarian URL has, for our test case, the form
# "https://NNNN.restricted.launchpad.dev:PORT/NNNN/foo.txt?token=..."
# where NNNN and PORT are integers.
parsed_url = urlparse(response.getHeader('location'))
self.assertEqual('https', parsed_url.scheme)
mo = re.search(
r'^i\d+\.restricted\..+:\d+$', parsed_url.netloc)
self.assertIsNot(None, mo, parsed_url.netloc)
mo = re.search(r'^/\d+/foo\.txt$', parsed_url.path)
self.assertIsNot(None, mo)
params = parse_qs(parsed_url.query)
self.assertEqual(['token'], params.keys())
# If a user which cannot access the private bug itself tries to
# to access the attachment, an NotFound error is raised.
other_launchpad = launchpadlib_for(
'test_unauthenticated', other_user, version='devel')
self.assertRaises(
RestfulNotFound, other_launchpad._browser.get,
ws_bugattachment.data._wadl_resource._url)
|