Testing Plone Site Security Policy - Is Your Intranet Doing What You Think It Is?
Upcoming SlideShare
Loading in...5
×
 

Testing Plone Site Security Policy - Is Your Intranet Doing What You Think It Is?

on

  • 5,545 views

Plone is a powerful system that allows you to create complex sites, with complex workflows and user access control. But how do you know if the site you are building really does what you expect it to ...

Plone is a powerful system that allows you to create complex sites, with complex workflows and user access control. But how do you know if the site you are building really does what you expect it to do? You have workgroups that can be private, public or secret; you have documents that can be private, draft, pending or published; you have users that can be members, authors, reviewers, contributors, managers... How can you be sure that for every combination your site does what you expect? I will present the experiences of developing a complex intranet with a scenario similar to above, and show the tools we developed and the approach we used to ensure that that policy as defined by the client was what the site eventually conformed to. We built a testing system to allow the policy for a site to be easily defined and the thousands of security permutations to be effectively visualised and problem patterns spotted. The talk will also include a step by step run through of the use of the tools and a simple example of testing site policy.

Statistics

Views

Total Views
5,545
Views on SlideShare
5,521
Embed Views
24

Actions

Likes
2
Downloads
82
Comments
1

2 Embeds 24

http://www.techgig.com 22
http://www.slideshare.net 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Hello my dear
    I am Modester by name good day. i just went to your profile this time true this site (www.slideshare.net) and i got your detail and your explanation in fact the way you explain your self shows me that you are innocent and maturity and also understand person i decided to have a contact with you so that we can explain to our self each other because God great everyone to make a friend with each other and from that we know that we are from thism planet God great for us ok my dear please try and reach me through my email address (modester4life4@yahoo.com) so that i can send you my picture true your reply we can know each other ok have a nice day and God bless you yours Modester
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Testing Plone Site Security Policy - Is Your Intranet Doing What You Think It Is? Testing Plone Site Security Policy - Is Your Intranet Doing What You Think It Is? Presentation Transcript

  • Testing Plone Site Security Policy (Is your intranet doing what you think it is?) Matt Hamilton Netsight Internet Solutions, UK understand, develop, deliver. www.netsight.co.uk
  • What this talk is NOT • Not talking about security vulnerabilities • Not talking about code unit testing • Not talking about penetration testing understand, develop, deliver. www.netsight.co.uk
  • So what IS this talk? It goes something a bit like this: understand, develop, deliver. www.netsight.co.uk
  • So what IS this talk? It goes something a bit like this: Is our intranet secure? Boss understand, develop, deliver. www.netsight.co.uk
  • So what IS this talk? It goes something a bit like this: Is our intranet secure? Boss Yes of course! You understand, develop, deliver. www.netsight.co.uk
  • So what IS this talk? understand, develop, deliver. www.netsight.co.uk
  • So what IS this talk? • But is it really?! Lets think about this: understand, develop, deliver. www.netsight.co.uk
  • So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone understand, develop, deliver. www.netsight.co.uk
  • So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types understand, develop, deliver. www.netsight.co.uk
  • So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types ➡ You created a custom workflow understand, develop, deliver. www.netsight.co.uk
  • So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types ➡ You created a custom workflow ➡ Users have group memberships, local roles, etc understand, develop, deliver. www.netsight.co.uk
  • So what IS this talk? So our site is now quite complex in terms of who should be allowed to do what and where understand, develop, deliver. www.netsight.co.uk
  • Our use-case understand, develop, deliver. www.netsight.co.uk
  • Belron.net understand, develop, deliver. www.netsight.co.uk
  • Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ understand, develop, deliver. www.netsight.co.uk
  • Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects understand, develop, deliver. www.netsight.co.uk
  • Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret understand, develop, deliver. www.netsight.co.uk
  • Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager understand, develop, deliver. www.netsight.co.uk
  • Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager - Content within a project may be in various states: Private, Draft, Pending, Published understand, develop, deliver. www.netsight.co.uk
  • Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager - Content within a project may be in various states: Private, Draft, Pending, Published understand, develop, deliver. www.netsight.co.uk
  • So.... understand, develop, deliver. www.netsight.co.uk
  • So.... • If a piece of content is in the pending state, in a private project, in which I am a member and contributor, should I be able to edit it? understand, develop, deliver. www.netsight.co.uk
  • So.... • If a piece of content is in the pending state, in a private project, in which I am a member and contributor, should I be able to edit it? • If a project is in the secret state, and I am a non-member should I be able to view the project description? understand, develop, deliver. www.netsight.co.uk
  • Policy decisions understand, develop, deliver. www.netsight.co.uk
  • Policy decisions • These are POLICY decisions for the site, not really CODE decisions. understand, develop, deliver. www.netsight.co.uk
  • Policy decisions • These are POLICY decisions for the site, not really CODE decisions. - ie. these are high level objectives set by analysts/managers not coders understand, develop, deliver. www.netsight.co.uk
  • Policy decisions • These are POLICY decisions for the site, not really CODE decisions. - ie. these are high level objectives set by analysts/managers not coders - But they will catch errors in the code or customisation understand, develop, deliver. www.netsight.co.uk
  • Coverage understand, develop, deliver. www.netsight.co.uk
  • Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations understand, develop, deliver. www.netsight.co.uk
  • Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations understand, develop, deliver. www.netsight.co.uk
  • Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations • And for each one we want to test: can I View, Edit, List, Delete, Add.... understand, develop, deliver. www.netsight.co.uk
  • Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations • And for each one we want to test: can I View, Edit, List, Delete, Add.... • For Belron.net we had approx 1,300 tests needed understand, develop, deliver. www.netsight.co.uk
  • An idea... • What if there was a nice easy way to test all these different permutations in an automated way and drive it all from a manager-friendly spreadsheet and be able to visually see the results? understand, develop, deliver. www.netsight.co.uk
  • PolicyTestCase • Similar to PloneTestCase • Write a bunch of tests • Export a spreadsheet as CSV • Run the tests • See the results in a table understand, develop, deliver. www.netsight.co.uk
  • PolicyTestCase class TestDefaultPlone(PolicyTestCase): def afterSetUp(self): # Setup the state, eg workflow etc def ViewContent(self): # Test we can view the content def NoViewContent(self): # Test we can NOT view the content understand, develop, deliver. www.netsight.co.uk
  • PolicyTestCase def test_suite(): from unittest import TestSuite suite = TestSuite() csv = open('%s/test_scenarios_simple2.csv' % PACKAGE_HOME) suite.addTest(makeSuiteFromCSV(TestDefaultPlone, csv)) return suite understand, develop, deliver. www.netsight.co.uk
  • Demo Demo and walkthrough of the code understand, develop, deliver. www.netsight.co.uk
  • Questions? Any questions? Matt Hamilton matth@netsight.co.uk PolicyTestCase: in collective, will do a release real soon now ;) understand, develop, deliver. www.netsight.co.uk