use of org.activityinfo.server.database.OnDataSet in project activityinfo by bedatadriven.
the class GcsBlobFieldStorageServiceTest method blobPermissionAttack.
/**
* 1. user1 : persist blob with FormInstance1 (FormClass1) user1
* 2. user2 : persist the same blob with FormInstance2 (FormClass2) -> try to steal blob access
*/
@Test
@OnDataSet("/dbunit/sites-simple-blob-security.db.xml")
public void blobPermissionAttack() throws IOException {
blobService.setTestBucketName();
int activityId = 1;
int databaseId = 1;
int locationType = 10;
ResourceId attachmentFieldId = ResourceId.generateFieldId(AttachmentType.TYPE_CLASS);
FormClass formClass = addAttachmentField(activityId, attachmentFieldId);
blobId = BlobId.generate();
blobService.put(user, "attachment;filename=" + FILE_NAME, MimeTypeUtil.mimeTypeFromFileName(FILE_NAME), blobId, formClass.getId(), GcsBlobFieldStorageServiceTest.class.getResourceAsStream("goabout.png"));
FormInstance instance = new FormInstance(CuidAdapter.cuid(SITE_DOMAIN, new KeyGenerator().generateInt()), formClass.getId());
Attachment attachment = new Attachment();
attachment.setMimeType(MimeTypeUtil.mimeTypeFromFileName(FILE_NAME));
attachment.setBlobId(blobId.asString());
attachment.setFilename(FILE_NAME);
AttachmentValue attachmentValue = new AttachmentValue();
attachmentValue.getValues().add(attachment);
instance.set(indicatorField(1), 1);
instance.set(indicatorField(2), 2);
instance.set(attachmentFieldId, attachmentValue);
instance.set(locationField(activityId), locationRef(CuidAdapter.locationFormClass(locationType), 1));
instance.set(partnerField(activityId), partnerRef(databaseId, 1));
instance.set(projectField(activityId), projectRef(databaseId, 1));
instance.set(field(formClass.getId(), START_DATE_FIELD), new LocalDate(2014, 1, 1));
instance.set(field(formClass.getId(), END_DATE_FIELD), new LocalDate(2014, 1, 1));
instance.set(field(formClass.getId(), COMMENT_FIELD), "My comment");
assertResolves(locator.persist(instance));
assertInstanceExists(formClass.getId(), instance.getId());
AuthenticationModuleStub.setUserId(USER_WITHOUT_ACCESS_TO_DB_1);
int anotherActivityId = 32;
ResourceId newAttachmentFieldId = ResourceId.generateFieldId(AttachmentType.TYPE_CLASS);
addAttachmentField(anotherActivityId, newAttachmentFieldId);
instance.setId(CuidAdapter.cuid(SITE_DOMAIN, new KeyGenerator().generateInt()));
instance.setClassId(CuidAdapter.activityFormClass(anotherActivityId));
instance.set(newAttachmentFieldId, attachmentValue);
instance.set(field(instance.getFormId(), START_DATE_FIELD), new LocalDate(2014, 1, 1));
instance.set(field(instance.getFormId(), END_DATE_FIELD), new LocalDate(2014, 1, 1));
instance.set(partnerField(anotherActivityId), partnerRef(databaseId, 1));
boolean persisted = true;
try {
// this must fail because of blob permission check
assertResolves(locator.persist(instance));
} catch (RuntimeException e) {
e.printStackTrace();
persisted = false;
}
assertFalse("Access to blob is stolen! Permissions check for blobs is broken.", persisted);
}
use of org.activityinfo.server.database.OnDataSet in project activityinfo by bedatadriven.
the class CreateDatabaseTest method testCreate.
@Test
@OnDataSet("/dbunit/sites-simple1.db.xml")
public void testCreate() throws CommandException {
UserDatabaseDTO db = new UserDatabaseDTO();
db.setName("RIMS");
db.setFullName("Reintegration Management Information System");
CreateResult cr = execute(new CreateEntity(db));
SchemaDTO schema = execute(new GetSchema());
UserDatabaseDTO newdb = schema.getDatabaseById(cr.getNewId());
assertNotNull(newdb);
assertEquals(db.getName(), newdb.getName());
assertEquals(db.getFullName(), newdb.getFullName());
assertNotNull(newdb.getCountry());
assertEquals("Alex", newdb.getOwnerName());
assertThat(newdb.getPartners(), hasSize(1));
}
use of org.activityinfo.server.database.OnDataSet in project activityinfo by bedatadriven.
the class CreateSiteTest method testSiteWithCalculatedIndicators.
@OnDataSet("/dbunit/sites-calculated-indicators.db.xml")
@Test
public void testSiteWithCalculatedIndicators() throws CommandException {
// create a new detached, client model
SiteDTO newSite = new SiteDTO();
newSite.setId(new KeyGenerator().generateInt());
newSite.setActivityId(1);
newSite.setLocationId(1);
newSite.setPartner(new PartnerDTO(1, "Foobar"));
newSite.setDate1((new GregorianCalendar(2008, 12, 1)).getTime());
newSite.setDate2((new GregorianCalendar(2009, 1, 3)).getTime());
newSite.setLocationName("Virunga");
newSite.setProject(new ProjectDTO(1, "SomeProject"));
newSite.setReportingPeriodId(11);
newSite.setIndicatorValue(1, 1);
newSite.setIndicatorValue(2, 2);
// create command
CreateSite cmd = new CreateSite(newSite);
assertThat((Integer) cmd.getProperties().get("locationId"), equalTo(1));
// execute the command
setUser(1);
CreateResult result = execute(cmd);
newSite.setId(result.getNewId());
// try to retrieve what we've created
SiteDTO firstRead = readSite(newSite.getId());
Assert.assertEquals(1d, firstRead.<Object>getIndicatorValue(1));
Assert.assertEquals(2d, firstRead.<Object>getIndicatorValue(2));
Assert.assertEquals(3d, firstRead.<Object>getIndicatorValue(11));
Assert.assertEquals(0.5d, firstRead.<Object>getIndicatorValue(12));
SiteDTO updateSite = new SiteDTO(newSite);
updateSite.setIndicatorValue(1, null);
updateSite.setIndicatorValue(2, null);
// update site
execute(new UpdateSite(newSite, updateSite));
SiteDTO secondRead = readSite(newSite.getId());
// BACHE
Assert.assertEquals(null, secondRead.getIndicatorValue(1));
// BENE
Assert.assertEquals(null, secondRead.getIndicatorValue(2));
Assert.assertEquals(null, secondRead.getIndicatorValue(11));
Assert.assertEquals(null, secondRead.getIndicatorValue(12));
}
use of org.activityinfo.server.database.OnDataSet in project activityinfo by bedatadriven.
the class GetReportsTest method performanceTest.
@OnDataSet("/dbunit/get-report-performance-tests.db.xml")
// AI-1223
@Test
public void performanceTest() {
// initial performance: 1838ms - sql fetch, 1962ms - time for client (+serialization/deserialization)
// after performance tuning: 229ms - sql fetch, 273 ms - time for client (+serialization/deserialization)
setUser(1);
Stopwatch started = Stopwatch.createStarted();
ReportsResult result = execute(new GetReports());
assertNotNull(result);
assertEquals(1, result.getData().get(0).getId());
assertEquals("Report 1", result.getData().get(0).getTitle());
assertEquals("Alex", result.getData().get(0).getOwnerName());
long elapsed = started.elapsed(TimeUnit.MILLISECONDS);
// must be less then one second
assertTrue("GetReports takes " + elapsed + "ms.", elapsed < 1000);
}
use of org.activityinfo.server.database.OnDataSet in project activityinfo by bedatadriven.
the class LocalGetSchemaHandlerIntTest method forUser.
@Test
@OnDataSet("/dbunit/sites-simple1.db.xml")
public void forUser() throws CommandException {
// only has view access to databse 1
setUser(4);
synchronize();
SchemaDTO schema = executeLocally(new GetSchema());
assertThat(schema.getDatabases().size(), equalTo(2));
UserDatabaseDTO pearDb = schema.getDatabaseById(1);
assertThat(pearDb.getAmOwner(), equalTo(false));
assertThat(pearDb.isViewAllAllowed(), equalTo(false));
assertThat(pearDb.isEditAllowed(), equalTo(false));
assertThat(pearDb.isEditAllAllowed(), equalTo(true));
ActivityFormDTO activity = executeLocally(new GetActivityForm(1));
assertThat(activity.getAttributeGroups().size(), equalTo(3));
AttributeGroupDTO group = activity.getAttributeGroupById(1);
assertThat(group.getName(), equalTo("cause"));
assertThat(group.getAttributes().size(), equalTo(2));
}
Aggregations