Post on 23-Jan-2015
description
transcript
understand, develop, deliver. www.netsight.co.uk
Testing Plone Site Security Policy
Matt HamiltonNetsight Internet Solutions, UK
(Is your intranet doing what you think it is?)
understand, develop, deliver. www.netsight.co.uk
What this talk is NOT
• Not talking about security vulnerabilities
• Not talking about code unit testing
• Not talking about penetration testing
understand, develop, deliver. www.netsight.co.uk
So what IS this talk?
It goes something a bit like this:
understand, develop, deliver. www.netsight.co.uk
So what IS this talk?
It goes something a bit like this:
Is our intranet secure?
Boss
understand, develop, deliver. www.netsight.co.uk
So what IS this talk?
It goes something a bit like this:
Is our intranet secure?
Boss
Yes of course!
You
understand, develop, deliver. www.netsight.co.uk
So what IS this talk?
understand, develop, deliver. www.netsight.co.uk
So what IS this talk?
• But is it really?! Lets think about this:
understand, develop, deliver. www.netsight.co.uk
So what IS this talk?
• But is it really?! Lets think about this:
➡ You installed Plone
understand, develop, deliver. www.netsight.co.uk
So what IS this talk?
• But is it really?! Lets think about this:
➡ You installed Plone
➡ You created a set of custom content types
understand, develop, deliver. www.netsight.co.uk
So what IS this talk?
• But is it really?! Lets think about this:
➡ You installed Plone
➡ You created a set of custom content types
➡ You created a custom workflow
understand, develop, deliver. www.netsight.co.uk
So what IS this talk?
• But is it really?! Lets think about this:
➡ You installed Plone
➡ You created a set of custom content types
➡ You created a custom workflow
➡ Users have group memberships, local roles, etc
understand, develop, deliver. www.netsight.co.uk
So what IS this talk?
So our site is now quite complex in terms of who should be allowed to do what and
where
understand, develop, deliver. www.netsight.co.uk
Our use-case
understand, develop, deliver. www.netsight.co.uk
Belron.net
understand, develop, deliver. www.netsight.co.uk
Belron.net
• Belron.net Intranet is based around ‘Projects’ and ‘Groups’
understand, develop, deliver. www.netsight.co.uk
Belron.net
• Belron.net Intranet is based around ‘Projects’ and ‘Groups’
- Users have local membership and roles of individual groups and projects
understand, develop, deliver. www.netsight.co.uk
Belron.net
• Belron.net Intranet is based around ‘Projects’ and ‘Groups’
- Users have local membership and roles of individual groups and projects
- Projects may be in various ‘states’: Public, Private, Secret
understand, develop, deliver. www.netsight.co.uk
Belron.net
• Belron.net Intranet is based around ‘Projects’ and ‘Groups’
- Users have local membership and roles of individual groups and projects
- Projects may be in various ‘states’: Public, Private, Secret
- Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager
understand, develop, deliver. www.netsight.co.uk
Belron.net
• Belron.net Intranet is based around ‘Projects’ and ‘Groups’
- Users have local membership and roles of individual groups and projects
- Projects may be in various ‘states’: Public, Private, Secret
- Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager
- Content within a project may be in various states: Private, Draft, Pending, Published
understand, develop, deliver. www.netsight.co.uk
Belron.net
• Belron.net Intranet is based around ‘Projects’ and ‘Groups’
- Users have local membership and roles of individual groups and projects
- Projects may be in various ‘states’: Public, Private, Secret
- Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager
- Content within a project may be in various states: Private, Draft, Pending, Published
understand, develop, deliver. www.netsight.co.uk
So....
understand, develop, deliver. www.netsight.co.uk
So....
• If a piece of content is in the pending state, in a private project, in which I am a member and contributor, should I be able to edit it?
understand, develop, deliver. www.netsight.co.uk
So....
• If a piece of content is in the pending state, in a private project, in which I am a member and contributor, should I be able to edit it?
• If a project is in the secret state, and I am a non-member should I be able to view the project description?
understand, develop, deliver. www.netsight.co.uk
Policy decisions
understand, develop, deliver. www.netsight.co.uk
Policy decisions
• These are POLICY decisions for the site, not really CODE decisions.
understand, develop, deliver. www.netsight.co.uk
Policy decisions
• These are POLICY decisions for the site, not really CODE decisions.
- ie. these are high level objectives set by analysts/managers not coders
understand, develop, deliver. www.netsight.co.uk
Policy decisions
• These are POLICY decisions for the site, not really CODE decisions.
- ie. these are high level objectives set by analysts/managers not coders
- But they will catch errors in the code or customisation
understand, develop, deliver. www.netsight.co.uk
Coverage
understand, develop, deliver. www.netsight.co.uk
Coverage
• So, we have 3 project states x 5 local roles x 4 content states = 60 permutations
understand, develop, deliver. www.netsight.co.uk
Coverage
• So, we have 3 project states x 5 local roles x 4 content states = 60 permutations
• oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations
understand, develop, deliver. www.netsight.co.uk
Coverage
• So, we have 3 project states x 5 local roles x 4 content states = 60 permutations
• oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations
• And for each one we want to test: can I View, Edit, List, Delete, Add....
understand, develop, deliver. www.netsight.co.uk
Coverage
• So, we have 3 project states x 5 local roles x 4 content states = 60 permutations
• oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations
• And for each one we want to test: can I View, Edit, List, Delete, Add....
• For Belron.net we had approx 1,300 tests needed
understand, develop, deliver. www.netsight.co.uk
An idea...
• What if there was a nice easy way to test all these different permutations in an automated way and drive it all from a manager-friendly spreadsheet and be able to visually see the results?
understand, develop, deliver. www.netsight.co.uk
PolicyTestCase
• Similar to PloneTestCase
• Write a bunch of tests
• Export a spreadsheet as CSV
• Run the tests
• See the results in a table
understand, develop, deliver. www.netsight.co.uk
PolicyTestCaseclass TestDefaultPlone(PolicyTestCase):
def afterSetUp(self):
# Setup the state, eg workflow etc
def ViewContent(self):
# Test we can view the content
def NoViewContent(self):
# Test we can NOT view the content
understand, develop, deliver. www.netsight.co.uk
PolicyTestCase
def test_suite():
from unittest import TestSuite
suite = TestSuite()
csv = open('%s/test_scenarios_simple2.csv' % PACKAGE_HOME)
suite.addTest(makeSuiteFromCSV(TestDefaultPlone, csv))
return suite
understand, develop, deliver. www.netsight.co.uk
Demo
Demo and walkthrough of the code
understand, develop, deliver. www.netsight.co.uk
Questions?
Any questions?
Matt Hamiltonmatth@netsight.co.uk
PolicyTestCase: in collective, will do a release real soon now ;)