External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-07 11:41:08 -03:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1176 from jakemcdermott/stabilize-xss

Browse Source 
use project details view to check permissions list
This commit is contained in:
Jake McDermott
2018-02-08 17:32:39 -05:00
committed by GitHub
parent 5932c54126 67e5d083b8
commit 6cb6c61e5c
2 changed files with 98 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
awx/ui/test/e2e/fixtures.js
View File

@@ -293,6 +293,29 @@ const getJobTemplateAdmin = (namespace = session) => {
.then(spread(user => user)); .then(spread(user => user));
}; };
const getProjectAdmin = (namespace = session) => {
const rolePromise = getUpdatedProject(namespace)
.then(obj => obj.summary_fields.object_roles.admin_role);
const userPromise = getOrganization(namespace)
.then(obj => getOrCreate('/users/', {
username: `project-admin-${uuid().substr(0, 8)}`,
organization: obj.id,
first_name: 'firstname',
last_name: 'lastname',
email: 'null@ansible.com',
is_superuser: false,
is_system_auditor: false,
password: AWX_E2E_PASSWORD
}));
const assignRolePromise = Promise.all([userPromise, rolePromise])
.then(spread((user, role) => post(`/api/v2/roles/${role.id}/users/`, { id: user.id })));
return Promise.all([userPromise, assignRolePromise])
.then(spread(user => user));
};
const getInventorySourceSchedule = (namespace = session) => getInventorySource(namespace) const getInventorySourceSchedule = (namespace = session) => getInventorySource(namespace)
.then(source => getOrCreate(source.related.schedules, { .then(source => getOrCreate(source.related.schedules, {
name: `${source.name}-schedule`, name: `${source.name}-schedule`,
@@ -321,6 +344,7 @@ module.exports = {
getNotificationTemplate, getNotificationTemplate,
getOrCreate, getOrCreate,
getOrganization, getOrganization,
getProjectAdmin,
getSmartInventory, getSmartInventory,
getTeam, getTeam,
getUpdatedProject, getUpdatedProject,

149
awx/ui/test/e2e/tests/test-xss.js
View File

@@ -6,10 +6,10 @@ import {
getInventorySource, getInventorySource,
getInventorySourceSchedule, getInventorySourceSchedule,
getJobTemplate, getJobTemplate,
getJobTemplateAdmin,
getJobTemplateSchedule, getJobTemplateSchedule,
getNotificationTemplate, getNotificationTemplate,
getOrganization, getOrganization,
getProjectAdmin,
getSmartInventory, getSmartInventory,
getTeam, getTeam,
getUpdatedProject, getUpdatedProject,
@@ -38,7 +38,7 @@ module.exports = {
getJobTemplate(namespace).then(obj => { data.jobTemplate = obj; }), getJobTemplate(namespace).then(obj => { data.jobTemplate = obj; }),
getJobTemplateSchedule(namespace).then(obj => { data.jobTemplateSchedule = obj; }), getJobTemplateSchedule(namespace).then(obj => { data.jobTemplateSchedule = obj; }),
getTeam(namespace).then(obj => { data.team = obj; }), getTeam(namespace).then(obj => { data.team = obj; }),
getJobTemplateAdmin(namespace).then(obj => { data.user = obj; }), getProjectAdmin(namespace).then(obj => { data.user = obj; }),
getNotificationTemplate(namespace).then(obj => { data.notification = obj; }), getNotificationTemplate(namespace).then(obj => { data.notification = obj; }),
getJob(namespaceShort).then(obj => { data.job = obj; }), getJob(namespaceShort).then(obj => { data.job = obj; }),
]; ];
@@ -48,7 +48,6 @@ module.exports = {
pages.organizations = client.page.organizations(); pages.organizations = client.page.organizations();
pages.inventories = client.page.inventories(); pages.inventories = client.page.inventories();
pages.inventoryScripts = client.page.inventoryScripts(); pages.inventoryScripts = client.page.inventoryScripts();
pages.hosts = client.page.hosts();
pages.projects = client.page.projects(); pages.projects = client.page.projects();
pages.credentials = client.page.credentials(); pages.credentials = client.page.credentials();
pages.templates = client.page.templates(); pages.templates = client.page.templates();
@@ -59,7 +58,7 @@ module.exports = {
urls.organization = `${pages.organizations.url()}/${data.organization.id}`; urls.organization = `${pages.organizations.url()}/${data.organization.id}`;
urls.inventory = `${pages.inventories.url()}/inventory/${data.inventory.id}`; urls.inventory = `${pages.inventories.url()}/inventory/${data.inventory.id}`;
urls.hosts = `${pages.hosts.url()}`; urls.inventoryHosts = `${urls.inventory}/hosts`;
urls.inventoryScript = `${pages.inventoryScripts.url()}/${data.inventoryScript.id}`; urls.inventoryScript = `${pages.inventoryScripts.url()}/${data.inventoryScript.id}`;
urls.inventorySource = `${urls.inventory}/inventory_sources/edit/${data.inventorySource.id}`; urls.inventorySource = `${urls.inventory}/inventory_sources/edit/${data.inventorySource.id}`;
urls.sourceSchedule = `${urls.inventorySource}/schedules/${data.sourceSchedule.id}`; urls.sourceSchedule = `${urls.inventorySource}/schedules/${data.sourceSchedule.id}`;
@@ -107,75 +106,6 @@ module.exports = {
client.pause(500).expect.element('div.spinny').not.visible; client.pause(500).expect.element('div.spinny').not.visible;
client.expect.element('#multi-credential-modal').not.present; client.expect.element('#multi-credential-modal').not.present;
}, },
'check template roles list for unsanitized content': client => {
const itemDelete = `#permissions_table tr[id="${data.user.id}"] div[class*="RoleList-deleteContainer"]`;
client.expect.element('#permissions_tab').visible;
client.expect.element('#permissions_tab').enabled;
client.click('#permissions_tab');
client.expect.element('div.spinny').visible;
client.expect.element('div.spinny').not.visible;
client.expect.element('#xss').not.present;
client.expect.element('[class=xss]').not.present;
client.expect.element('div[ui-view="related"]').visible;
client.expect.element('div[ui-view="related"] smart-search input').enabled;
client.sendKeys('div[ui-view="related"] smart-search input', `id:${data.user.id}`);
client.sendKeys('div[ui-view="related"] smart-search input', client.Keys.ENTER);
client.expect.element('div.spinny').not.visible;
client.expect.element(itemDelete).visible;
client.expect.element(itemDelete).enabled;
client.click(itemDelete);
client.expect.element('#prompt-header').visible;
client.expect.element('#prompt-header').text.equal('USER ACCESS REMOVAL');
client.expect.element('#prompt_cancel_btn').enabled;
client.expect.element('#xss').not.present;
client.expect.element('[class=xss]').not.present;
client.click('#prompt_cancel_btn');
client.expect.element('#prompt-header').not.visible;
},
'check template permissions view for unsanitized content': client => {
client.expect.element('button[aw-tool-tip="Add a permission"]').visible;
client.expect.element('button[aw-tool-tip="Add a permission"]').enabled;
client.click('button[aw-tool-tip="Add a permission"]');
client.expect.element('div.spinny').not.visible;
client.expect.element('div[class="AddPermissions-header"]').visible;
client.expect.element('div[class="AddPermissions-header"]').attribute('innerHTML')
.contains('<div id="xss" class="xss">test</div>');
client.expect.element('#xss').not.present;
client.expect.element('[class=xss]').not.present;
client.expect.element('div[class="AddPermissions-dialog"] button[class*="exit"]').enabled;
client.click('div[class="AddPermissions-dialog"] button[class*="exit"]');
client.expect.element('div.spinny').visible;
client.expect.element('div.spinny').not.visible;
// client.expect.element('div.spinny').visible;
client.expect.element('div.spinny').not.visible;
client.waitForAngular();
client.expect.element('#job_template_tab').enabled;
client.click('#job_template_tab');
client.expect.element('#job_template_form').visible;
},
'check template list for unsanitized content': client => { 'check template list for unsanitized content': client => {
const itemRow = `#row-${data.jobTemplate.id}`; const itemRow = `#row-${data.jobTemplate.id}`;
const itemName = `${itemRow} .at-RowItem-header`; const itemName = `${itemRow} .at-RowItem-header`;
@@ -229,7 +159,7 @@ module.exports = {
client.expect.element('[class=xss]').not.present; client.expect.element('[class=xss]').not.present;
}, },
'check user roles list for unsanitized content': client => { 'check user roles list for unsanitized content': client => {
const adminRole = data.jobTemplate.summary_fields.object_roles.admin_role; const adminRole = data.project.summary_fields.object_roles.admin_role;
const itemDelete = `#permissions_table tr[id="${adminRole.id}"] #delete-action`; const itemDelete = `#permissions_table tr[id="${adminRole.id}"] #delete-action`;
client.expect.element('#permissions_tab').visible; client.expect.element('#permissions_tab').visible;
@@ -508,6 +438,75 @@ module.exports = {
client.expect.element('#xss').not.present; client.expect.element('#xss').not.present;
client.expect.element('[class=xss]').not.present; client.expect.element('[class=xss]').not.present;
}, },
'check project roles list for unsanitized content': client => {
const itemDelete = `#permissions_table tr[id="${data.user.id}"] div[class*="RoleList-deleteContainer"]`;
client.expect.element('#permissions_tab').visible;
client.expect.element('#permissions_tab').enabled;
client.click('#permissions_tab');
client.expect.element('div.spinny').visible;
client.expect.element('div.spinny').not.visible;
client.expect.element('#xss').not.present;
client.expect.element('[class=xss]').not.present;
client.expect.element('div[ui-view="related"]').visible;
client.expect.element('div[ui-view="related"] smart-search input').enabled;
client.sendKeys('div[ui-view="related"] smart-search input', `id:${data.user.id}`);
client.sendKeys('div[ui-view="related"] smart-search input', client.Keys.ENTER);
client.expect.element('div.spinny').not.visible;
client.expect.element(itemDelete).visible;
client.expect.element(itemDelete).enabled;
client.click(itemDelete);
client.expect.element('#prompt-header').visible;
client.expect.element('#prompt-header').text.equal('USER ACCESS REMOVAL');
client.expect.element('#prompt_cancel_btn').enabled;
client.expect.element('#xss').not.present;
client.expect.element('[class=xss]').not.present;
client.click('#prompt_cancel_btn');
client.expect.element('#prompt-header').not.visible;
},
'check project permissions view for unsanitized content': client => {
client.expect.element('button[aw-tool-tip="Add a permission"]').visible;
client.expect.element('button[aw-tool-tip="Add a permission"]').enabled;
client.click('button[aw-tool-tip="Add a permission"]');
client.expect.element('div.spinny').not.visible;
client.expect.element('div[class="AddPermissions-header"]').visible;
client.expect.element('div[class="AddPermissions-header"]').attribute('innerHTML')
.contains('<div id="xss" class="xss">test</div>');
client.expect.element('#xss').not.present;
client.expect.element('[class=xss]').not.present;
client.expect.element('div[class="AddPermissions-dialog"] button[class*="exit"]').enabled;
client.click('div[class="AddPermissions-dialog"] button[class*="exit"]');
client.expect.element('div.spinny').visible;
client.expect.element('div.spinny').not.visible;
// client.expect.element('div.spinny').visible;
client.expect.element('div.spinny').not.visible;
client.waitForAngular();
client.expect.element('#project_tab').enabled;
client.click('#project_tab');
client.expect.element('#project_form').visible;
},
'check project list for unsanitized content': client => { 'check project list for unsanitized content': client => {
const itemRow = `#projects_table tr[id="${data.project.id}"]`; const itemRow = `#projects_table tr[id="${data.project.id}"]`;
const itemName = `${itemRow} td[class*="name-"] a`; const itemName = `${itemRow} td[class*="name-"] a`;
@@ -692,7 +691,7 @@ module.exports = {
const itemName = `${itemRow} td[class*="active_failures-"] a`; const itemName = `${itemRow} td[class*="active_failures-"] a`;
const popOver = `${itemRow} td[class*="active_failures-"] div[class*="popover"]`; const popOver = `${itemRow} td[class*="active_failures-"] div[class*="popover"]`;
client.navigateTo(urls.hosts); client.navigateTo(urls.inventoryHosts);
client.click(itemName); client.click(itemName);
client.expect.element(popOver).present; client.expect.element(popOver).present;