Security of tester accessors

The first commit of this merge request was introduced for zope4py3 branch but it revealed issues on py2 as well, i.e. we don't have roles in auto-generated tester methods. ``` ====================================================================== FAIL: test_method_protection (testSecurity.TestSecurity) This test will list all implicitly Public methods in any objects in ZODB. ---------------------------------------------------------------------- Traceback (most recent call last): File "/(SR)/parts/erp5/Products/ERP5/tests/testSecurity.py", line 113, in test_method_protection self.fail(message) AssertionError: The following 7 methods have a docstring but have no security assertions. /(SR)/parts/erp5/product/ERP5Form/PreferenceTool.py:65 isPreferredVcsPushMode /srv/slapgrid/slappart19/t/eiy/soft/8a7759fd7b65b20d9f87713605745d05/parts/erp5/product/ERP5Type/Accessor/AcquiredProperty.py:217 hasTelephoneValidationState /(SR)/parts/erp5/product/ERP5Type/Accessor/Base.py:219 hasViewFormIdList /(SR)/parts/erp5/product/ERP5Type/Accessor/Constant.py:94 isWebDocumentType /(SR)/parts/erp5/product/ERP5Type/Accessor/Content.py:224 hasImage /(SR)/parts/erp5/product/ERP5Type/Accessor/ContentProperty.py:283 hasImageWidthList /(SR)/parts/erp5/product/ERP5Type/Accessor/Translation.py:233 hasFrTranslatedTitle ---------------------------------------------------------------------- ``` See merge request !1911

Security of tester accessors
The first commit of this merge request was introduced for zope4py3 branch but it revealed issues on py2 as well, i.e. we don't have roles in auto-generated tester methods. ``` ====================================================================== FAIL: test_method_protection (testSecurity.TestSecurity) This test will list all implicitly Public methods in any objects in ZODB. ---------------------------------------------------------------------- Traceback (most recent call last): File "/(SR)/parts/erp5/Products/ERP5/tests/testSecurity.py", line 113, in test_method_protection self.fail(message) AssertionError: The following 7 methods have a docstring but have no security assertions. /(SR)/parts/erp5/product/ERP5Form/PreferenceTool.py:65 isPreferredVcsPushMode /srv/slapgrid/slappart19/t/eiy/soft/8a7759fd7b65b20d9f87713605745d05/parts/erp5/product/ERP5Type/Accessor/AcquiredProperty.py:217 hasTelephoneValidationState /(SR)/parts/erp5/product/ERP5Type/Accessor/Base.py:219 hasViewFormIdList /(SR)/parts/erp5/product/ERP5Type/Accessor/Constant.py:94 isWebDocumentType /(SR)/parts/erp5/product/ERP5Type/Accessor/Content.py:224 hasImage /(SR)/parts/erp5/product/ERP5Type/Accessor/ContentProperty.py:283 hasImageWidthList /(SR)/parts/erp5/product/ERP5Type/Accessor/Translation.py:233 hasFrTranslatedTitle ---------------------------------------------------------------------- ``` See merge request !1911
63dcec59 · Jérome Perrin · 2ca25775 · 3992822a · 63dcec59 · 63dcec59
Commit 63dcec59 authored May 19, 2024 by Jérome Perrin
16 changed files
--- a/bt5/erp5_core_test/TestTemplateItem/portal_components/test.erp5.testFields.py
+++ b/bt5/erp5_core_test/TestTemplateItem/portal_components/test.erp5.testFields.py
@@ -67,10 +67,10 @@ class TestRenderViewAPI(ERP5TypeTestCase):
  def test_signature(self):
    for field in FieldRegistry.get_field_classes().itervalues(): # pylint: disable=no-value-for-parameter
      self.assertEqual(('self', 'value', 'REQUEST', 'render_prefix'),
-                        field.render_view.__func__.func_code.co_varnames)
+                        field.render_view.__code__.co_varnames)
      if field is not ProxyField:
        self.assertEqual(('self', 'field', 'value', 'REQUEST'),
-          field.widget.render_view.__func__.func_code.co_varnames[:4], '%s %s' % (field.widget, field.widget.render_view.__func__.func_code.co_varnames[:4]))
+          field.widget.render_view.__code__.co_varnames[:4], '%s %s' % (field.widget, field.widget.render_view.__code__.co_varnames[:4]))


 class TestFloatField(ERP5TypeTestCase):

--- a/bt5/erp5_oauth_facebook_login/TestTemplateItem/portal_components/test.erp5.testFacebookLogin.py
+++ b/bt5/erp5_oauth_facebook_login/TestTemplateItem/portal_components/test.erp5.testFacebookLogin.py
@@ -126,8 +126,8 @@ class TestFacebookLogin(ERP5TypeTestCase):
        'erp5.component.extension.FacebookLoginUtility.getUserEntry',
        side_effect=getUserEntry
      ) as getUserEntry_mock:
-      getAccessTokenFromCode_mock.func_code = getAccessTokenFromCode.func_code
-      getUserEntry_mock.func_code = getUserEntry.func_code
+      getAccessTokenFromCode_mock.__code__ = getAccessTokenFromCode.__code__
+      getUserEntry_mock.__code__ = getUserEntry.__code__
      self.portal.ERP5Site_callbackFacebookLogin(code=CODE)
    getAccessTokenFromCode_mock.assert_called_once()
    getUserEntry_mock.assert_called_once()
@@ -166,8 +166,8 @@ class TestFacebookLogin(ERP5TypeTestCase):
        'erp5.component.extension.FacebookLoginUtility.getUserEntry',
        side_effect=getUserEntry
      ) as getUserEntry_mock:
-      getAccessTokenFromCode_mock.func_code = getAccessTokenFromCode.func_code
-      getUserEntry_mock.func_code = getUserEntry.func_code
+      getAccessTokenFromCode_mock.__code__ = getAccessTokenFromCode.__code__
+      getUserEntry_mock.__code__ = getUserEntry.__code__
      self.portal.ERP5Site_callbackFacebookLogin(code=CODE)

    ac_cookie, = [v for (k, v) in response.listHeaders() if k.lower() == 'set-cookie' and '__ac_facebook_hash=' in v]
@@ -232,8 +232,8 @@ return credential_request
        'erp5.component.extension.FacebookLoginUtility.getUserEntry',
        side_effect=getUserEntry
      ) as getUserEntry_mock:
-      getAccessTokenFromCode_mock.func_code = getAccessTokenFromCode.func_code
-      getUserEntry_mock.func_code = getUserEntry.func_code
+      getAccessTokenFromCode_mock.__code__ = getAccessTokenFromCode.__code__
+      getUserEntry_mock.__code__ = getUserEntry.__code__
      response = self.portal.ERP5Site_callbackFacebookLogin(code=CODE)
    facebook_hash = self.portal.REQUEST.RESPONSE.cookies.get("__ac_facebook_hash")["value"]
    self.assertEqual("8cec04e21e927f1023f4f4980ec11a77", facebook_hash)

--- a/bt5/erp5_oauth_google_login/TestTemplateItem/portal_components/test.erp5.testGoogleLogin.py
+++ b/bt5/erp5_oauth_google_login/TestTemplateItem/portal_components/test.erp5.testGoogleLogin.py
@@ -163,8 +163,8 @@ class TestGoogleLogin(GoogleLoginTestCase):
        'erp5.component.extension.GoogleLoginUtility.getUserEntry',
        side_effect=getUserEntry
      ) as getUserEntry_mock:
-      getAccessTokenFromCode_mock.func_code = getAccessTokenFromCode.func_code
-      getUserEntry_mock.func_code = getUserEntry.func_code
+      getAccessTokenFromCode_mock.__code__ = getAccessTokenFromCode.__code__
+      getUserEntry_mock.__code__ = getUserEntry.__code__
      self.portal.ERP5Site_receiveGoogleCallback(code=CODE)
    getAccessTokenFromCode_mock.assert_called_once()
    getUserEntry_mock.assert_called_once()
@@ -207,8 +207,8 @@ class TestGoogleLogin(GoogleLoginTestCase):
        'erp5.component.extension.GoogleLoginUtility.getUserEntry',
        side_effect=getUserEntry
      ) as getUserEntry_mock:
-      getAccessTokenFromCode_mock.func_code = getAccessTokenFromCode.func_code
-      getUserEntry_mock.func_code = getUserEntry.func_code
+      getAccessTokenFromCode_mock.__code__ = getAccessTokenFromCode.__code__
+      getUserEntry_mock.__code__ = getUserEntry.__code__
      self.portal.ERP5Site_receiveGoogleCallback(code=CODE)

    getAccessTokenFromCode_mock.assert_called_once()
@@ -278,8 +278,8 @@ return credential_request
        'erp5.component.extension.GoogleLoginUtility.getUserEntry',
        side_effect=getUserEntry
      ) as getUserEntry_mock:
-      getAccessTokenFromCode_mock.func_code = getAccessTokenFromCode.func_code
-      getUserEntry_mock.func_code = getUserEntry.func_code
+      getAccessTokenFromCode_mock.__code__ = getAccessTokenFromCode.__code__
+      getUserEntry_mock.__code__ = getUserEntry.__code__
      response = self.portal.ERP5Site_receiveGoogleCallback(code=CODE)
    getAccessTokenFromCode_mock.assert_called_once()
    getUserEntry_mock.assert_called_once()

--- a/bt5/erp5_openid_connect_client_login/TestTemplateItem/portal_components/test.erp5.testOpenIdConnectLogin.py
+++ b/bt5/erp5_openid_connect_client_login/TestTemplateItem/portal_components/test.erp5.testOpenIdConnectLogin.py
@@ -126,8 +126,8 @@ class TestOpenIdConnectLogin(OpenIdConnectLoginTestCase):
        'erp5.component.extension.OpenIdConnectLoginUtility.getUserEntry',
        side_effect=getUserEntry
      ) as getUserEntry_mock:
-      getAccessTokenFromCode_mock.func_code = getAccessTokenFromCode.func_code
-      getUserEntry_mock.func_code = getUserEntry.func_code
+      getAccessTokenFromCode_mock.__code__ = getAccessTokenFromCode.__code__
+      getUserEntry_mock.__code__ = getUserEntry.__code__
      self.portal.ERP5Site_receiveOpenIdCallback(code=CODE, state=state)

    getAccessTokenFromCode_mock.assert_called_once()
@@ -165,8 +165,8 @@ class TestOpenIdConnectLogin(OpenIdConnectLoginTestCase):
        'erp5.component.extension.OpenIdConnectLoginUtility.getUserEntry',
        side_effect=getUserEntry
      ) as getUserEntry_mock:
-      getAccessTokenFromCode_mock.func_code = getAccessTokenFromCode.func_code
-      getUserEntry_mock.func_code = getUserEntry.func_code
+      getAccessTokenFromCode_mock.__code__ = getAccessTokenFromCode.__code__
+      getUserEntry_mock.__code__ = getUserEntry.__code__
      self.portal.ERP5Site_receiveOpenIdCallback(code=CODE, state=state)
    getAccessTokenFromCode_mock.assert_called_once()
    getUserEntry_mock.assert_called_once()
@@ -260,8 +260,8 @@ return credential_request
        'erp5.component.extension.OpenIdConnectLoginUtility.getUserEntry',
        side_effect=getUserEntry
      ) as getUserEntry_mock:
-      getAccessTokenFromCode_mock.func_code = getAccessTokenFromCode.func_code
-      getUserEntry_mock.func_code = getUserEntry.func_code
+      getAccessTokenFromCode_mock.__code__ = getAccessTokenFromCode.__code__
+      getUserEntry_mock.__code__ = getUserEntry.__code__
      self.portal.ERP5Site_receiveOpenIdCallback(code=CODE, state=state)
    getAccessTokenFromCode_mock.assert_called_once()
    getUserEntry_mock.assert_called_once()

--- a/product/ERP5/tests/testSecurity.py
+++ b/product/ERP5/tests/testSecurity.py
@@ -75,7 +75,7 @@ class TestSecurityMixin(ERP5TypeTestCase):
    allowed_method_id_list = ['om_icons',]
    app = self.portal.aq_parent
    meta_type_set = set([None])
-    error_set = set()
+    error_dict = {}
    for _, obj in app.ZopeFind(app, search_sub=1):
      meta_type = getattr(obj, 'meta_type', None)
      if meta_type in meta_type_set:
@@ -88,17 +88,20 @@ class TestSecurityMixin(ERP5TypeTestCase):
          continue
        method = getattr(obj, method_id)
        if isinstance(method, MethodType) and \
-          getattr(method, 'func_name', None) is not None and \
+          getattr(method, '__name__', None) is not None and \
          method.__doc__ and \
          not hasattr(obj, '%s__roles__' % method_id) and \
+          not hasattr(method, '__roles__') and \
          method.__module__:
-          if method.__module__ == 'Products.ERP5Type.Accessor.WorkflowState' and method.func_code.co_name == 'serialize':
+          if method.__module__ == 'Products.ERP5Type.Accessor.WorkflowState' and method.__code__.co_name == 'serialize':
            continue
          func_code = method.__code__
-          error_set.add((func_code.co_filename, func_code.co_firstlineno, method_id))
+          if not hasattr(func_code, 'co_filename'): # ERP5 Accessor
+            func_code = method.__func__.__class__.__init__.__code__
+          error_dict[(func_code.co_filename, func_code.co_firstlineno)] = method_id

    error_list = []
-    for filename, lineno, method_id in sorted(error_set):
+    for (filename, lineno), method_id in sorted(error_dict.items()):
      # ignore security problems with non ERP5 documents, unless running in debug mode.
      if os.environ.get('erp5_debug_mode') or '/erp5/' in filename or '<portal_components' in filename:
        error_list.append('%s:%s %s' % (filename, lineno, method_id))

--- a/product/ERP5Form/PreferenceTool.py
+++ b/product/ERP5Form/PreferenceTool.py
@@ -31,7 +31,7 @@ from AccessControl import ClassSecurityInfo
 from AccessControl.SecurityManagement import getSecurityManager,\
                          setSecurityManager, newSecurityManager
 from AccessControl.ZopeGuards import guarded_getattr
-from MethodObject import Method
+from Products.ERP5Type.Accessor.Base import Getter
 from Products.ERP5Type.Globals import InitializeClass, DTMLFile
 from zLOG import LOG, PROBLEM

@@ -54,7 +54,7 @@ class Priority:

 class func_code: pass

-class PreferenceMethod(Method):
+class PreferenceMethod(Getter):
  """ A method object that lookup the attribute on preferences. """
  # This is required to call the method form the Web
  __code__ = func_code = func_code()

--- a/product/ERP5Type/Accessor/Alias.py
+++ b/product/ERP5Type/Accessor/Alias.py
@@ -82,7 +82,7 @@ class Dummy(Reindex):
      self._id = id
      self.__name__ = id
      self._accessor_id = accessor_id
-#      self.__code__ = func_code = getattr(instance, self._accessor_id).func_code
+#      self.__code__ = func_code = getattr(instance, self._accessor_id).__code__

    def __call__(self, instance, *args, **kw):
      method = getattr(instance, self._accessor_id)

--- a/product/ERP5Type/Accessor/Base.py
+++ b/product/ERP5Type/Accessor/Base.py
@@ -203,19 +203,10 @@ class Getter(Method):
        return getattr(roles, '__of__', lambda aq_parent: roles)(self)


-class Tester(Method):
+class Tester(Getter):
    """
      Tests if an attribute value exists
    """
-    _need__name__=1
-
-    # Generic Definition of Method Object
-    # This is required to call the method form the Web
-    __code__ = func_code = func_code()
-    __code__.co_varnames = ('self',)
-    __code__.co_argcount = 1
-    __defaults__ = func_defaults = ()
-
    def __init__(self, id, key, property_type, storage_id=None):
      self._id = id
      self.__name__ = id

--- a/product/ERP5Type/Accessor/Constant.py
+++ b/product/ERP5Type/Accessor/Constant.py
@@ -96,6 +96,8 @@ class Getter(Accessor):
    self._key = key
    self.__name__ = id
    self.value = value
+    # Do not publish deprecated Constant getter
+    self.__doc__ = None

  def __call__(self, instance):
    return self.value
--- a/product/ERP5Type/Accessor/Content.py
+++ b/product/ERP5Type/Accessor/Content.py
@@ -208,7 +208,7 @@ class ListGetter(Base.Getter):

 DefaultGetter = Getter

-class Tester(Method):
+class Tester(Base.Tester):
    """
      Tests if an attribute value exists
    """

--- a/product/ERP5Type/Accessor/ContentProperty.py
+++ b/product/ERP5Type/Accessor/ContentProperty.py
@@ -267,7 +267,7 @@ class ListGetter(Base.Getter):

 DefaultGetter = Getter

-class Tester(Method):
+class Tester(Base.Tester):
    """
      Tests if an attribute value exists
    """

--- a/product/ERP5Type/Accessor/Translation.py
+++ b/product/ERP5Type/Accessor/Translation.py
@@ -31,7 +31,7 @@ from zLOG import LOG
 from Products.ERP5Type.PsycoWrapper import psyco
 from Acquisition import aq_base

-from Products.ERP5Type.Accessor.Base import func_code, ATTRIBUTE_PREFIX, evaluateTales, Getter as BaseGetter, Method
+from Products.ERP5Type.Accessor.Base import func_code, ATTRIBUTE_PREFIX, evaluateTales, Getter as BaseGetter, Setter as BaseSetter, Tester as BaseTester
 from Products.ERP5Type.Accessor import Accessor, AcquiredProperty
 from Products.ERP5Type.Accessor.TypeDefinition import type_definition
 from Products.ERP5Type.Utils import unicode2str
@@ -218,7 +218,7 @@ class AcquiredPropertyGetter(AcquiredProperty.Getter):
      else:
        return default

-class TranslatedPropertyTester(Method):
+class TranslatedPropertyTester(BaseTester):
  """
    Tests if an attribute value exists
  """

--- a/product/ERP5Type/Cache.py
+++ b/product/ERP5Type/Cache.py
@@ -353,7 +353,7 @@ def transactional_cached(key_method=_default_key_method):
  def decorator(function):
    # Unfornately, we can only check functions (not other callable like class).
    assert (key_method is not _default_key_method or
-            not getattr(function, 'func_defaults', None)), (
+            not getattr(function, '__defaults__', None)), (
      "default 'key_method' of 'transactional_cached' does not work with"
      " functions having default values for parameters")
    key = repr(function)

--- a/product/ERP5Type/patches/ExternalMethod.py
+++ b/product/ERP5Type/patches/ExternalMethod.py
@@ -83,14 +83,18 @@ class _(PatchClass(ExternalMethod)):
                return _f
        except AttributeError:
            pass
-        code = f.func_code
+        code = f.__code__
        argument_object = getargs(code)
        # reconstruct back the original names
        arg_list = argument_object.args[:]
        if argument_object.varargs:
            arg_list.append('*' + argument_object.varargs)
-        if argument_object.keywords:
-          arg_list.append('**' + argument_object.keywords)
+        if six.PY2:
+          if argument_object.keywords:
+            arg_list.append('**' + argument_object.keywords)
+        else:
+          if argument_object.varkw:
+            arg_list.append('**' + argument_object.varkw)

        i = isinstance(f, MethodType)
        ff = six.get_unbound_function(f) if i else f
@@ -98,7 +102,10 @@ class _(PatchClass(ExternalMethod)):
        i += has_self
        if i:
            code = FuncCode(ff, i)
-        self._v_f = _f = (f, f.func_defaults, code, has_self, arg_list)
+        try: # This fails with mock function
+            self._v_f = _f = (f, f.__defaults__, code, has_self, arg_list)
+        except AttributeError:
+            self._v_f = _f = (f, f.func_defaults, code, has_self, arg_list)
        return _f

    def __call__(self, *args, **kw):

--- a/product/ERP5Type/patches/ZopePageTemplateUtils.py
+++ b/product/ERP5Type/patches/ZopePageTemplateUtils.py
@@ -59,4 +59,4 @@ try:
 except TypeError:
    # We need to monkey patch in-place, as it is a top-level function and
    # already imported in other places.
-    convertToUnicode.func_code = patched_convertToUnicode.func_code
+    convertToUnicode.__code__ = patched_convertToUnicode.__code__
--- a/product/ERP5Type/tests/Sequence.py
+++ b/product/ERP5Type/tests/Sequence.py
@@ -57,7 +57,7 @@ def special_extract_tb(tb, limit = None):
        else: line = None

        # display where we failed in the sequence
-        if co == Sequence.play.func_code:
+        if co == Sequence.play.__code__:
          if line is None:
            line = ''
          sequence = f.f_locals['self']