Search in sources :

Example 1 with OnDataSet

use of org.activityinfo.server.database.OnDataSet in project activityinfo by bedatadriven.

the class GcsBlobFieldStorageServiceTest method blobPermissionAttack.

/**
 * 1. user1 : persist blob with FormInstance1 (FormClass1) user1
 * 2. user2 : persist the same blob with FormInstance2 (FormClass2) -> try to steal blob access
 */
@Test
@OnDataSet("/dbunit/sites-simple-blob-security.db.xml")
public void blobPermissionAttack() throws IOException {
    blobService.setTestBucketName();
    int activityId = 1;
    int databaseId = 1;
    int locationType = 10;
    ResourceId attachmentFieldId = ResourceId.generateFieldId(AttachmentType.TYPE_CLASS);
    FormClass formClass = addAttachmentField(activityId, attachmentFieldId);
    blobId = BlobId.generate();
    blobService.put(user, "attachment;filename=" + FILE_NAME, MimeTypeUtil.mimeTypeFromFileName(FILE_NAME), blobId, formClass.getId(), GcsBlobFieldStorageServiceTest.class.getResourceAsStream("goabout.png"));
    FormInstance instance = new FormInstance(CuidAdapter.cuid(SITE_DOMAIN, new KeyGenerator().generateInt()), formClass.getId());
    Attachment attachment = new Attachment();
    attachment.setMimeType(MimeTypeUtil.mimeTypeFromFileName(FILE_NAME));
    attachment.setBlobId(blobId.asString());
    attachment.setFilename(FILE_NAME);
    AttachmentValue attachmentValue = new AttachmentValue();
    attachmentValue.getValues().add(attachment);
    instance.set(indicatorField(1), 1);
    instance.set(indicatorField(2), 2);
    instance.set(attachmentFieldId, attachmentValue);
    instance.set(locationField(activityId), locationRef(CuidAdapter.locationFormClass(locationType), 1));
    instance.set(partnerField(activityId), partnerRef(databaseId, 1));
    instance.set(projectField(activityId), projectRef(databaseId, 1));
    instance.set(field(formClass.getId(), START_DATE_FIELD), new LocalDate(2014, 1, 1));
    instance.set(field(formClass.getId(), END_DATE_FIELD), new LocalDate(2014, 1, 1));
    instance.set(field(formClass.getId(), COMMENT_FIELD), "My comment");
    assertResolves(locator.persist(instance));
    assertInstanceExists(formClass.getId(), instance.getId());
    AuthenticationModuleStub.setUserId(USER_WITHOUT_ACCESS_TO_DB_1);
    int anotherActivityId = 32;
    ResourceId newAttachmentFieldId = ResourceId.generateFieldId(AttachmentType.TYPE_CLASS);
    addAttachmentField(anotherActivityId, newAttachmentFieldId);
    instance.setId(CuidAdapter.cuid(SITE_DOMAIN, new KeyGenerator().generateInt()));
    instance.setClassId(CuidAdapter.activityFormClass(anotherActivityId));
    instance.set(newAttachmentFieldId, attachmentValue);
    instance.set(field(instance.getFormId(), START_DATE_FIELD), new LocalDate(2014, 1, 1));
    instance.set(field(instance.getFormId(), END_DATE_FIELD), new LocalDate(2014, 1, 1));
    instance.set(partnerField(anotherActivityId), partnerRef(databaseId, 1));
    boolean persisted = true;
    try {
        // this must fail because of blob permission check
        assertResolves(locator.persist(instance));
    } catch (RuntimeException e) {
        e.printStackTrace();
        persisted = false;
    }
    assertFalse("Access to blob is stolen! Permissions check for blobs is broken.", persisted);
}
Also used : AttachmentValue(org.activityinfo.model.type.attachment.AttachmentValue) ResourceId(org.activityinfo.model.resource.ResourceId) FormClass(org.activityinfo.model.form.FormClass) Attachment(org.activityinfo.model.type.attachment.Attachment) FormInstance(org.activityinfo.model.form.FormInstance) KeyGenerator(org.activityinfo.model.legacy.KeyGenerator) LocalDate(org.activityinfo.model.type.time.LocalDate) OnDataSet(org.activityinfo.server.database.OnDataSet) Test(org.junit.Test)

Example 2 with OnDataSet

use of org.activityinfo.server.database.OnDataSet in project activityinfo by bedatadriven.

the class CreateDatabaseTest method testCreate.

@Test
@OnDataSet("/dbunit/sites-simple1.db.xml")
public void testCreate() throws CommandException {
    UserDatabaseDTO db = new UserDatabaseDTO();
    db.setName("RIMS");
    db.setFullName("Reintegration Management Information System");
    CreateResult cr = execute(new CreateEntity(db));
    SchemaDTO schema = execute(new GetSchema());
    UserDatabaseDTO newdb = schema.getDatabaseById(cr.getNewId());
    assertNotNull(newdb);
    assertEquals(db.getName(), newdb.getName());
    assertEquals(db.getFullName(), newdb.getFullName());
    assertNotNull(newdb.getCountry());
    assertEquals("Alex", newdb.getOwnerName());
    assertThat(newdb.getPartners(), hasSize(1));
}
Also used : CreateEntity(org.activityinfo.legacy.shared.command.CreateEntity) CreateResult(org.activityinfo.legacy.shared.command.result.CreateResult) UserDatabaseDTO(org.activityinfo.legacy.shared.model.UserDatabaseDTO) SchemaDTO(org.activityinfo.legacy.shared.model.SchemaDTO) GetSchema(org.activityinfo.legacy.shared.command.GetSchema) OnDataSet(org.activityinfo.server.database.OnDataSet) Test(org.junit.Test)

Example 3 with OnDataSet

use of org.activityinfo.server.database.OnDataSet in project activityinfo by bedatadriven.

the class CreateSiteTest method testSiteWithCalculatedIndicators.

@OnDataSet("/dbunit/sites-calculated-indicators.db.xml")
@Test
public void testSiteWithCalculatedIndicators() throws CommandException {
    // create a new detached, client model
    SiteDTO newSite = new SiteDTO();
    newSite.setId(new KeyGenerator().generateInt());
    newSite.setActivityId(1);
    newSite.setLocationId(1);
    newSite.setPartner(new PartnerDTO(1, "Foobar"));
    newSite.setDate1((new GregorianCalendar(2008, 12, 1)).getTime());
    newSite.setDate2((new GregorianCalendar(2009, 1, 3)).getTime());
    newSite.setLocationName("Virunga");
    newSite.setProject(new ProjectDTO(1, "SomeProject"));
    newSite.setReportingPeriodId(11);
    newSite.setIndicatorValue(1, 1);
    newSite.setIndicatorValue(2, 2);
    // create command
    CreateSite cmd = new CreateSite(newSite);
    assertThat((Integer) cmd.getProperties().get("locationId"), equalTo(1));
    // execute the command
    setUser(1);
    CreateResult result = execute(cmd);
    newSite.setId(result.getNewId());
    // try to retrieve what we've created
    SiteDTO firstRead = readSite(newSite.getId());
    Assert.assertEquals(1d, firstRead.<Object>getIndicatorValue(1));
    Assert.assertEquals(2d, firstRead.<Object>getIndicatorValue(2));
    Assert.assertEquals(3d, firstRead.<Object>getIndicatorValue(11));
    Assert.assertEquals(0.5d, firstRead.<Object>getIndicatorValue(12));
    SiteDTO updateSite = new SiteDTO(newSite);
    updateSite.setIndicatorValue(1, null);
    updateSite.setIndicatorValue(2, null);
    // update site
    execute(new UpdateSite(newSite, updateSite));
    SiteDTO secondRead = readSite(newSite.getId());
    // BACHE
    Assert.assertEquals(null, secondRead.getIndicatorValue(1));
    // BENE
    Assert.assertEquals(null, secondRead.getIndicatorValue(2));
    Assert.assertEquals(null, secondRead.getIndicatorValue(11));
    Assert.assertEquals(null, secondRead.getIndicatorValue(12));
}
Also used : CreateResult(org.activityinfo.legacy.shared.command.result.CreateResult) GregorianCalendar(java.util.GregorianCalendar) KeyGenerator(org.activityinfo.model.legacy.KeyGenerator) UpdateSite(org.activityinfo.legacy.shared.command.UpdateSite) CreateSite(org.activityinfo.legacy.shared.command.CreateSite) OnDataSet(org.activityinfo.server.database.OnDataSet) Test(org.junit.Test)

Example 4 with OnDataSet

use of org.activityinfo.server.database.OnDataSet in project activityinfo by bedatadriven.

the class GetReportsTest method performanceTest.

@OnDataSet("/dbunit/get-report-performance-tests.db.xml")
// AI-1223
@Test
public void performanceTest() {
    // initial performance: 1838ms - sql fetch, 1962ms - time for client (+serialization/deserialization)
    // after performance tuning: 229ms - sql fetch, 273 ms - time for client (+serialization/deserialization)
    setUser(1);
    Stopwatch started = Stopwatch.createStarted();
    ReportsResult result = execute(new GetReports());
    assertNotNull(result);
    assertEquals(1, result.getData().get(0).getId());
    assertEquals("Report 1", result.getData().get(0).getTitle());
    assertEquals("Alex", result.getData().get(0).getOwnerName());
    long elapsed = started.elapsed(TimeUnit.MILLISECONDS);
    // must be less then one second
    assertTrue("GetReports takes " + elapsed + "ms.", elapsed < 1000);
}
Also used : GetReports(org.activityinfo.legacy.shared.command.GetReports) Stopwatch(com.google.common.base.Stopwatch) ReportsResult(org.activityinfo.legacy.shared.command.result.ReportsResult) OnDataSet(org.activityinfo.server.database.OnDataSet) Test(org.junit.Test)

Example 5 with OnDataSet

use of org.activityinfo.server.database.OnDataSet in project activityinfo by bedatadriven.

the class LocalGetSchemaHandlerIntTest method forUser.

@Test
@OnDataSet("/dbunit/sites-simple1.db.xml")
public void forUser() throws CommandException {
    // only has view access to databse 1
    setUser(4);
    synchronize();
    SchemaDTO schema = executeLocally(new GetSchema());
    assertThat(schema.getDatabases().size(), equalTo(2));
    UserDatabaseDTO pearDb = schema.getDatabaseById(1);
    assertThat(pearDb.getAmOwner(), equalTo(false));
    assertThat(pearDb.isViewAllAllowed(), equalTo(false));
    assertThat(pearDb.isEditAllowed(), equalTo(false));
    assertThat(pearDb.isEditAllAllowed(), equalTo(true));
    ActivityFormDTO activity = executeLocally(new GetActivityForm(1));
    assertThat(activity.getAttributeGroups().size(), equalTo(3));
    AttributeGroupDTO group = activity.getAttributeGroupById(1);
    assertThat(group.getName(), equalTo("cause"));
    assertThat(group.getAttributes().size(), equalTo(2));
}
Also used : AttributeGroupDTO(org.activityinfo.legacy.shared.model.AttributeGroupDTO) ActivityFormDTO(org.activityinfo.legacy.shared.model.ActivityFormDTO) UserDatabaseDTO(org.activityinfo.legacy.shared.model.UserDatabaseDTO) SchemaDTO(org.activityinfo.legacy.shared.model.SchemaDTO) OnDataSet(org.activityinfo.server.database.OnDataSet) Test(org.junit.Test)

Aggregations

OnDataSet (org.activityinfo.server.database.OnDataSet)48 Test (org.junit.Test)46 PartnerResult (org.activityinfo.legacy.shared.command.result.PartnerResult)9 SiteDTO (org.activityinfo.legacy.shared.model.SiteDTO)8 CreateResult (org.activityinfo.legacy.shared.command.result.CreateResult)6 SiteResult (org.activityinfo.legacy.shared.command.result.SiteResult)6 EntityManager (javax.persistence.EntityManager)5 GetSites (org.activityinfo.legacy.shared.command.GetSites)5 FormInstance (org.activityinfo.model.form.FormInstance)5 SortInfo (com.extjs.gxt.ui.client.data.SortInfo)4 Date (java.util.Date)4 Response (javax.ws.rs.core.Response)4 GetSyncRegionUpdates (org.activityinfo.legacy.shared.command.GetSyncRegionUpdates)4 SyncRegionUpdate (org.activityinfo.legacy.shared.command.result.SyncRegionUpdate)4 PartnerDTO (org.activityinfo.legacy.shared.model.PartnerDTO)4 SchemaDTO (org.activityinfo.legacy.shared.model.SchemaDTO)4 ResourceId (org.activityinfo.model.resource.ResourceId)4 LocalDate (org.activityinfo.model.type.time.LocalDate)4 GetUsers (org.activityinfo.legacy.shared.command.GetUsers)3 UpdateUserPermissions (org.activityinfo.legacy.shared.command.UpdateUserPermissions)3