summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Silverstone <dsilvers@digital-scurf.org>2013-06-22 15:56:09 +0100
committerDaniel Silverstone <dsilvers@digital-scurf.org>2013-06-22 15:56:09 +0100
commite98156c549fd5a67fe7ab0a5bcaf72a1f51330ce (patch)
treec7d50dad11ae0f7cb9aaa4fef6ba539503310260
parent1630874880c9bf9c67a4be1b3783a5bf5778e06b (diff)
downloadgitano-e98156c549fd5a67fe7ab0a5bcaf72a1f51330ce.tar.bz2
Additional scenario for the 'as' command
-rw-r--r--testing/02-commands-as.yarn34
1 files changed, 34 insertions, 0 deletions
diff --git a/testing/02-commands-as.yarn b/testing/02-commands-as.yarn
index 1a96617..ce8afbf 100644
--- a/testing/02-commands-as.yarn
+++ b/testing/02-commands-as.yarn
@@ -36,3 +36,37 @@ The final trivial case is that a user which can run `as` cannot use it to run
AND stderr contains Cannot use 'as' to run 'as'
AND stderr contains Validation of command line failed
AND stderr contains exit:1
+
+Security-related cases for `as` invocation
+------------------------------------------
+
+There are a number of security implications for the `as` command. In the
+simplest of cases it is only necessary to grant gitano-admin members the right
+to run commands `as` other users. In this way, only those who could otherwise
+alter the users in the first place can act on their behalf.
+
+There is, however, a potential information leak -- namely if someone who does
+not have the right to run commands 'as' another user runs an `as` with a user
+which does not exist. It is critical that this simply be reported as a lack of
+permission to run any command, and not leak that the target user does not exist
+in any way.
+
+ SCENARIO Ensuring 'as' does not leak user presence
+
+ GIVEN a standard instance
+ AND testinstance has keys called other
+ WHEN testinstance, using adminkey, adds user other, using testinstance other
+ AND testinstance adminkey runs as other whoami
+ THEN stderr is empty
+ WHEN testinstance other, expecting failure, runs as badger whoami
+ THEN stdout is empty
+ AND stderr does not contain badger
+
+Finally we ensure that when a user who may run `as` commands does so, but
+manages to typo a username, they get a useful error message.
+
+ WHEN testinstance adminkey, expecting failure, runs as badger whoami
+ THEN stderr contains badger
+ AND stderr contains does not exist
+ AND stderr contains exit:1
+ AND stdout is empty