Merge branch 'virtuoso_integration' of gitlab.com:participa/noosfero into virtuoso_integration

Francisco Júnior
2 parents 0a2b497f c31de66e
Showing 6 changed files with 54 additions and 15 deletions Show diff stats
plugins/virtuoso/lib/ext/literal.rb
plugins/virtuoso/lib/virtuoso_plugin.rb
plugins/virtuoso/lib/virtuoso_plugin/triples_template.rb
plugins/virtuoso/test/unit/triples_template_test.rb
plugins/virtuoso/test/unit/virtuoso_plugin_test.rb
plugins/virtuoso/views/virtuoso_plugin_admin/index.html.erb
 class RDF::Literal
  
+  include ActionView::Helpers::SanitizeHelper
+
   def to_liquid
-    value
+    strip_tags(value)
   end
  
 end
@@ -17,15 +17,25 @@ class VirtuosoPlugin &lt; Noosfero::Plugin
   end
  
   def virtuoso_client
-    @virtuoso_client ||= RDF::Virtuoso::Repository.new("#{settings.virtuoso_uri}/sparql", :update_uri => "#{settings.virtuoso_uri}/sparql-auth", :username => settings.virtuoso_username, :password => settings.virtuoso_password, :auth_method => 'digest', :timeout => 30)
+    @virtuoso_client ||= virtuoso_client_builder(settings.virtuoso_uri, settings.virtuoso_username, settings.virtuoso_password)
   end
-  
+
+  def virtuoso_readonly_client
+    @virtuoso_readonly_client ||= virtuoso_client_builder(settings.virtuoso_uri, settings.virtuoso_readonly_username, settings.virtuoso_readonly_password)
+  end
+
   def js_files
     ['edit-server-list']
-  end  
+  end
  
   def stylesheet?
     true
   end
  
+  protected
+
+  def virtuoso_client_builder(uri, username, password)
+    RDF::Virtuoso::Repository.new("#{uri}/sparql", :update_uri => "#{uri}/sparql-auth", :username => username, :password => password, :auth_method => 'digest', :timeout => 30)
+  end
+
 end
@@ -37,7 +37,7 @@ class VirtuosoPlugin::TriplesTemplate &lt; Article
  
   def template_content
     begin
-      results = plugin.virtuoso_client.query(query)
+      results = plugin.virtuoso_readonly_client.query(query)
       liquid_template = Liquid::Template.parse(template)
       page = liquid_template.render('results' => results)
       transform_html(page)
@@ -10,8 +10,8 @@ class TriplesTemplateTest &lt; ActiveSupport::TestCase
  
   should 'evaluate template using query results' do
     article.stubs(:plugin).returns(mock)
-    article.plugin.expects(:virtuoso_client).at_least_once.returns(mock)
-    article.plugin.virtuoso_client.expects(:query).returns([{'var' => 'Hello '}, {'var' => 'World'}])
+    article.plugin.expects(:virtuoso_readonly_client).at_least_once.returns(mock)
+    article.plugin.virtuoso_readonly_client.expects(:query).returns([{'var' => 'Hello '}, {'var' => 'World'}])
     article.template = "{% for row in results %}{{row.var}}{% endfor %}"
  
     assert_match /Hello World/, article.template_content
@@ -19,8 +19,8 @@ class TriplesTemplateTest &lt; ActiveSupport::TestCase
  
   should 'display error message when failed to execute the query' do
     article.stubs(:plugin).returns(mock)
-    article.plugin.expects(:virtuoso_client).at_least_once.returns(mock)
-    article.plugin.virtuoso_client.expects(:query).raises(RuntimeError.new)
+    article.plugin.expects(:virtuoso_readonly_client).at_least_once.returns(mock)
+    article.plugin.virtuoso_readonly_client.expects(:query).raises(RuntimeError.new)
     article.template = "{% for row in results %}{{row.var}}{% endfor %}"
  
     assert_equal "Failed to process the template", article.template_content
@@ -28,8 +28,8 @@ class TriplesTemplateTest &lt; ActiveSupport::TestCase
  
   should 'transform css into inline stylesheet' do
     article.stubs(:plugin).returns(mock)
-    article.plugin.expects(:virtuoso_client).at_least_once.returns(mock)
-    article.plugin.virtuoso_client.expects(:query).returns([{'var' => 'Hello '}, {'var' => 'World'}])
+    article.plugin.expects(:virtuoso_readonly_client).at_least_once.returns(mock)
+    article.plugin.virtuoso_readonly_client.expects(:query).returns([{'var' => 'Hello '}, {'var' => 'World'}])
     article.template = "{% for row in results %}<p>{{row.var}}</p>{% endfor %}"
     article.stylesheet = "p {color: red}"
  
@@ -38,4 +38,13 @@ class TriplesTemplateTest &lt; ActiveSupport::TestCase
     assert_match /<p style="color:red">World<\/p>/, content
   end
  
+  should 'do not allow js injection' do
+    article.stubs(:plugin).returns(mock)
+    article.plugin.expects(:virtuoso_readonly_client).at_least_once.returns(mock)
+    article.plugin.virtuoso_readonly_client.expects(:query).returns([{'var' => RDF::Literal.new('<script>alert("hello");</script>')}])
+    article.template = "{% for row in results %}{{row.var}}{% endfor %}"
+
+    assert_no_match /<script>/, article.template_content
+  end
+
 end
@@ -4,13 +4,29 @@ class VirtuosoPluginTest &lt; ActiveSupport::TestCase
  
   def setup
     @environment = Environment.default
-    @plugin = VirtuosoPlugin.new
+    @plugin = VirtuosoPlugin.new(self)
   end
  
-  attr_reader :plugin
+  attr_reader :plugin, :environment
  
   should 'define a new content' do
     assert_equal [VirtuosoPlugin::TriplesTemplate], plugin.content_types
   end
  
+  should 'create a client for virtuoso using admin account' do
+    plugin.stubs(:settings).returns(mock)
+    plugin.settings.expects(:virtuoso_uri)
+    plugin.settings.expects(:virtuoso_username)
+    plugin.settings.expects(:virtuoso_password)
+    plugin.virtuoso_client
+  end
+
+  should 'create a client for virtuoso using a read-only account' do
+    plugin.stubs(:settings).returns(mock)
+    plugin.settings.expects(:virtuoso_uri)
+    plugin.settings.expects(:virtuoso_readonly_username)
+    plugin.settings.expects(:virtuoso_readonly_password)
+    plugin.virtuoso_readonly_client
+  end
+
 end
@@ -6,8 +6,10 @@
  
   <strong>
     <%= labelled_form_field _('Virtuoso URL:'), f.text_field(:virtuoso_uri) %>
-    <%= labelled_form_field _('Virtuoso Username:'), f.text_field(:virtuoso_username) %>
-    <%= labelled_form_field _('Virtuoso Password:'), f.password_field(:virtuoso_password) %>
+    <%= labelled_form_field _('Virtuoso Admin Username:'), f.text_field(:virtuoso_username) %>
+    <%= labelled_form_field _('Virtuoso Admin Password:'), f.password_field(:virtuoso_password) %>
+    <%= labelled_form_field _('Virtuoso Read-Only Username:'), f.text_field(:virtuoso_readonly_username) %>
+    <%= labelled_form_field _('Virtuoso Read-Only Password:'), f.password_field(:virtuoso_readonly_password) %>
     <%= labelled_form_field _('DSpace URL:'), f.text_field(:dspace_uri) %>
   </strong>
1	1	class RDF::Literal
2	2
	3	+ include ActionView::Helpers::SanitizeHelper
	4	+
3	5	def to_liquid
4		- value
	6	+ strip_tags(value)
5	7	end
6	8
7	9	end
...	...
...	...	@@ -17,15 +17,25 @@ class VirtuosoPlugin < Noosfero::Plugin
17	17	end
18	18
19	19	def virtuoso_client
20		- @virtuoso_client \|\|= RDF::Virtuoso::Repository.new("#{settings.virtuoso_uri}/sparql", :update_uri => "#{settings.virtuoso_uri}/sparql-auth", :username => settings.virtuoso_username, :password => settings.virtuoso_password, :auth_method => 'digest', :timeout => 30)
	20	+ @virtuoso_client \|\|= virtuoso_client_builder(settings.virtuoso_uri, settings.virtuoso_username, settings.virtuoso_password)
21	21	end
22		-
	22	+
	23	+ def virtuoso_readonly_client
	24	+ @virtuoso_readonly_client \|\|= virtuoso_client_builder(settings.virtuoso_uri, settings.virtuoso_readonly_username, settings.virtuoso_readonly_password)
	25	+ end
	26	+
23	27	def js_files
24	28	['edit-server-list']
25		- end
	29	+ end
26	30
27	31	def stylesheet?
28	32	true
29	33	end
30	34
	35	+ protected
	36	+
	37	+ def virtuoso_client_builder(uri, username, password)
	38	+ RDF::Virtuoso::Repository.new("#{uri}/sparql", :update_uri => "#{uri}/sparql-auth", :username => username, :password => password, :auth_method => 'digest', :timeout => 30)
	39	+ end
	40	+
31	41	end
...	...
...	...	@@ -37,7 +37,7 @@ class VirtuosoPlugin::TriplesTemplate < Article
37	37
38	38	def template_content
39	39	begin
40		- results = plugin.virtuoso_client.query(query)
	40	+ results = plugin.virtuoso_readonly_client.query(query)
41	41	liquid_template = Liquid::Template.parse(template)
42	42	page = liquid_template.render('results' => results)
43	43	transform_html(page)
...	...
...	...	@@ -10,8 +10,8 @@ class TriplesTemplateTest < ActiveSupport::TestCase
10	10
11	11	should 'evaluate template using query results' do
12	12	article.stubs(:plugin).returns(mock)
13		- article.plugin.expects(:virtuoso_client).at_least_once.returns(mock)
14		- article.plugin.virtuoso_client.expects(:query).returns([{'var' => 'Hello '}, {'var' => 'World'}])
	13	+ article.plugin.expects(:virtuoso_readonly_client).at_least_once.returns(mock)
	14	+ article.plugin.virtuoso_readonly_client.expects(:query).returns([{'var' => 'Hello '}, {'var' => 'World'}])
15	15	article.template = "{% for row in results %}{{row.var}}{% endfor %}"
16	16
17	17	assert_match /Hello World/, article.template_content
...	...	@@ -19,8 +19,8 @@ class TriplesTemplateTest < ActiveSupport::TestCase
19	19
20	20	should 'display error message when failed to execute the query' do
21	21	article.stubs(:plugin).returns(mock)
22		- article.plugin.expects(:virtuoso_client).at_least_once.returns(mock)
23		- article.plugin.virtuoso_client.expects(:query).raises(RuntimeError.new)
	22	+ article.plugin.expects(:virtuoso_readonly_client).at_least_once.returns(mock)
	23	+ article.plugin.virtuoso_readonly_client.expects(:query).raises(RuntimeError.new)
24	24	article.template = "{% for row in results %}{{row.var}}{% endfor %}"
25	25
26	26	assert_equal "Failed to process the template", article.template_content
...	...	@@ -28,8 +28,8 @@ class TriplesTemplateTest < ActiveSupport::TestCase
28	28
29	29	should 'transform css into inline stylesheet' do
30	30	article.stubs(:plugin).returns(mock)
31		- article.plugin.expects(:virtuoso_client).at_least_once.returns(mock)
32		- article.plugin.virtuoso_client.expects(:query).returns([{'var' => 'Hello '}, {'var' => 'World'}])
	31	+ article.plugin.expects(:virtuoso_readonly_client).at_least_once.returns(mock)
	32	+ article.plugin.virtuoso_readonly_client.expects(:query).returns([{'var' => 'Hello '}, {'var' => 'World'}])
33	33	article.template = "{% for row in results %}<p>{{row.var}}</p>{% endfor %}"
34	34	article.stylesheet = "p {color: red}"
35	35
...	...	@@ -38,4 +38,13 @@ class TriplesTemplateTest < ActiveSupport::TestCase
38	38	assert_match /<p style="color:red">World<\/p>/, content
39	39	end
40	40
	41	+ should 'do not allow js injection' do
	42	+ article.stubs(:plugin).returns(mock)
	43	+ article.plugin.expects(:virtuoso_readonly_client).at_least_once.returns(mock)
	44	+ article.plugin.virtuoso_readonly_client.expects(:query).returns([{'var' => RDF::Literal.new('<script>alert("hello");</script>')}])
	45	+ article.template = "{% for row in results %}{{row.var}}{% endfor %}"
	46	+
	47	+ assert_no_match /<script>/, article.template_content
	48	+ end
	49	+
41	50	end
...	...
...	...	@@ -4,13 +4,29 @@ class VirtuosoPluginTest < ActiveSupport::TestCase
4	4
5	5	def setup
6	6	@environment = Environment.default
7		- @plugin = VirtuosoPlugin.new
	7	+ @plugin = VirtuosoPlugin.new(self)
8	8	end
9	9
10		- attr_reader :plugin
	10	+ attr_reader :plugin, :environment
11	11
12	12	should 'define a new content' do
13	13	assert_equal [VirtuosoPlugin::TriplesTemplate], plugin.content_types
14	14	end
15	15
	16	+ should 'create a client for virtuoso using admin account' do
	17	+ plugin.stubs(:settings).returns(mock)
	18	+ plugin.settings.expects(:virtuoso_uri)
	19	+ plugin.settings.expects(:virtuoso_username)
	20	+ plugin.settings.expects(:virtuoso_password)
	21	+ plugin.virtuoso_client
	22	+ end
	23	+
	24	+ should 'create a client for virtuoso using a read-only account' do
	25	+ plugin.stubs(:settings).returns(mock)
	26	+ plugin.settings.expects(:virtuoso_uri)
	27	+ plugin.settings.expects(:virtuoso_readonly_username)
	28	+ plugin.settings.expects(:virtuoso_readonly_password)
	29	+ plugin.virtuoso_readonly_client
	30	+ end
	31	+
16	32	end
...	...
...	...	@@ -6,8 +6,10 @@
6	6
7	7	<strong>
8	8	<%= labelled_form_field _('Virtuoso URL:'), f.text_field(:virtuoso_uri) %>
9		- <%= labelled_form_field _('Virtuoso Username:'), f.text_field(:virtuoso_username) %>
10		- <%= labelled_form_field _('Virtuoso Password:'), f.password_field(:virtuoso_password) %>
	9	+ <%= labelled_form_field _('Virtuoso Admin Username:'), f.text_field(:virtuoso_username) %>
	10	+ <%= labelled_form_field _('Virtuoso Admin Password:'), f.password_field(:virtuoso_password) %>
	11	+ <%= labelled_form_field _('Virtuoso Read-Only Username:'), f.text_field(:virtuoso_readonly_username) %>
	12	+ <%= labelled_form_field _('Virtuoso Read-Only Password:'), f.password_field(:virtuoso_readonly_password) %>
11	13	<%= labelled_form_field _('DSpace URL:'), f.text_field(:dspace_uri) %>
12	14	</strong>
13	15
...	...