SlideShare une entreprise Scribd logo

Testing Plone Site Security Policy - Is Your Intranet Doing What You Think It Is?

V
Vincenzo Barone

Plone is a powerful system that allows you to create complex sites, with complex workflows and user access control. But how do you know if the site you are building really does what you expect it to do? You have workgroups that can be private, public or secret; you have documents that can be private, draft, pending or published; you have users that can be members, authors, reviewers, contributors, managers... How can you be sure that for every combination your site does what you expect? I will present the experiences of developing a complex intranet with a scenario similar to above, and show the tools we developed and the approach we used to ensure that that policy as defined by the client was what the site eventually conformed to. We built a testing system to allow the policy for a site to be easily defined and the thousands of security permutations to be effectively visualised and problem patterns spotted. The talk will also include a step by step run through of the use of the tools and a simple example of testing site policy.

Technologie
1  sur  38
Télécharger pour lire hors ligne
Testing Plone Site Security Policy (Is your intranet doing what you think it is?) Matt Hamilton Netsight Internet Solutions, UK understand, develop, deliver. www.netsight.co.uk
What this talk is NOT • Not talking about security vulnerabilities • Not talking about code unit testing • Not talking about penetration testing understand, develop, deliver. www.netsight.co.uk
So what IS this talk? It goes something a bit like this: understand, develop, deliver. www.netsight.co.uk
So what IS this talk? It goes something a bit like this: Is our intranet secure? Boss understand, develop, deliver. www.netsight.co.uk
So what IS this talk? It goes something a bit like this: Is our intranet secure? Boss Yes of course! You understand, develop, deliver. www.netsight.co.uk
So what IS this talk? understand, develop, deliver. www.netsight.co.uk
So what IS this talk? • But is it really?! Lets think about this: understand, develop, deliver. www.netsight.co.uk
So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone understand, develop, deliver. www.netsight.co.uk
So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types understand, develop, deliver. www.netsight.co.uk
So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types ➡ You created a custom workflow understand, develop, deliver. www.netsight.co.uk
So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types ➡ You created a custom workflow ➡ Users have group memberships, local roles, etc understand, develop, deliver. www.netsight.co.uk
So what IS this talk? So our site is now quite complex in terms of who should be allowed to do what and where understand, develop, deliver. www.netsight.co.uk
Our use-case understand, develop, deliver. www.netsight.co.uk
Belron.net understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager - Content within a project may be in various states: Private, Draft, Pending, Published understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager - Content within a project may be in various states: Private, Draft, Pending, Published understand, develop, deliver. www.netsight.co.uk
So.... understand, develop, deliver. www.netsight.co.uk
So.... • If a piece of content is in the pending state, in a private project, in which I am a member and contributor, should I be able to edit it? understand, develop, deliver. www.netsight.co.uk
So.... • If a piece of content is in the pending state, in a private project, in which I am a member and contributor, should I be able to edit it? • If a project is in the secret state, and I am a non-member should I be able to view the project description? understand, develop, deliver. www.netsight.co.uk
Policy decisions understand, develop, deliver. www.netsight.co.uk
Policy decisions • These are POLICY decisions for the site, not really CODE decisions. understand, develop, deliver. www.netsight.co.uk
Policy decisions • These are POLICY decisions for the site, not really CODE decisions. - ie. these are high level objectives set by analysts/managers not coders understand, develop, deliver. www.netsight.co.uk
Policy decisions • These are POLICY decisions for the site, not really CODE decisions. - ie. these are high level objectives set by analysts/managers not coders - But they will catch errors in the code or customisation understand, develop, deliver. www.netsight.co.uk
Coverage understand, develop, deliver. www.netsight.co.uk
Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations understand, develop, deliver. www.netsight.co.uk
Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations understand, develop, deliver. www.netsight.co.uk
Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations • And for each one we want to test: can I View, Edit, List, Delete, Add.... understand, develop, deliver. www.netsight.co.uk
Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations • And for each one we want to test: can I View, Edit, List, Delete, Add.... • For Belron.net we had approx 1,300 tests needed understand, develop, deliver. www.netsight.co.uk
An idea... • What if there was a nice easy way to test all these different permutations in an automated way and drive it all from a manager-friendly spreadsheet and be able to visually see the results? understand, develop, deliver. www.netsight.co.uk
PolicyTestCase • Similar to PloneTestCase • Write a bunch of tests • Export a spreadsheet as CSV • Run the tests • See the results in a table understand, develop, deliver. www.netsight.co.uk
PolicyTestCase class TestDefaultPlone(PolicyTestCase): def afterSetUp(self): # Setup the state, eg workflow etc def ViewContent(self): # Test we can view the content def NoViewContent(self): # Test we can NOT view the content understand, develop, deliver. www.netsight.co.uk
PolicyTestCase def test_suite(): from unittest import TestSuite suite = TestSuite() csv = open('%s/test_scenarios_simple2.csv' % PACKAGE_HOME) suite.addTest(makeSuiteFromCSV(TestDefaultPlone, csv)) return suite understand, develop, deliver. www.netsight.co.uk
Demo Demo and walkthrough of the code understand, develop, deliver. www.netsight.co.uk
Questions? Any questions? Matt Hamilton matth@netsight.co.uk PolicyTestCase: in collective, will do a release real soon now ;) understand, develop, deliver. www.netsight.co.uk

Recommandé

Pkk[1]
Pkk[1]Pkk[1]
Pkk[1]guesta516f4
 
Filmcamp Film3null Hillinger
Filmcamp Film3null HillingerFilmcamp Film3null Hillinger
Filmcamp Film3null HillingerNorbert Hillinger
 
Where's the source, Luke? : How to find and debug the code behind Plone
Where's the source, Luke? : How to find and debug the code behind PloneWhere's the source, Luke? : How to find and debug the code behind Plone
Where's the source, Luke? : How to find and debug the code behind PloneVincenzo Barone
 
componentes del ordenador
componentes del ordenadorcomponentes del ordenador
componentes del ordenadorerich
 
Gitb[1]
Gitb[1]Gitb[1]
Gitb[1]Carolina Contreras
 
áUstria (öSterreich)
áUstria (öSterreich)áUstria (öSterreich)
áUstria (öSterreich)guest2f91f7
 
Sally Kleinfeldt - Plone Application Development Patterns
Sally Kleinfeldt - Plone Application Development PatternsSally Kleinfeldt - Plone Application Development Patterns
Sally Kleinfeldt - Plone Application Development PatternsVincenzo Barone
 
ItalianSkin: an improvement in the accessibility of the Plone interface in or...
ItalianSkin: an improvement in the accessibility of the Plone interface in or...ItalianSkin: an improvement in the accessibility of the Plone interface in or...
ItalianSkin: an improvement in the accessibility of the Plone interface in or...Vincenzo Barone
 

Recommandé

Pkk[1]
Pkk[1]Pkk[1]
Pkk[1]guesta516f4
 
Filmcamp Film3null Hillinger
Filmcamp Film3null HillingerFilmcamp Film3null Hillinger
Filmcamp Film3null HillingerNorbert Hillinger
 
Where's the source, Luke? : How to find and debug the code behind Plone
Where's the source, Luke? : How to find and debug the code behind PloneWhere's the source, Luke? : How to find and debug the code behind Plone
Where's the source, Luke? : How to find and debug the code behind PloneVincenzo Barone
 
componentes del ordenador
componentes del ordenadorcomponentes del ordenador
componentes del ordenadorerich
 
Gitb[1]
Gitb[1]Gitb[1]
Gitb[1]Carolina Contreras
 
áUstria (öSterreich)
áUstria (öSterreich)áUstria (öSterreich)
áUstria (öSterreich)guest2f91f7
 
Sally Kleinfeldt - Plone Application Development Patterns
Sally Kleinfeldt - Plone Application Development PatternsSally Kleinfeldt - Plone Application Development Patterns
Sally Kleinfeldt - Plone Application Development PatternsVincenzo Barone
 
ItalianSkin: an improvement in the accessibility of the Plone interface in or...
ItalianSkin: an improvement in the accessibility of the Plone interface in or...ItalianSkin: an improvement in the accessibility of the Plone interface in or...
ItalianSkin: an improvement in the accessibility of the Plone interface in or...Vincenzo Barone
 
How to market Plone the Web2.0 way
How to market Plone the Web2.0 wayHow to market Plone the Web2.0 way
How to market Plone the Web2.0 wayVincenzo Barone
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Vincenzo Barone
 
Wichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org SetupWichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org SetupVincenzo Barone
 
Philipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken CodePhilipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken CodeVincenzo Barone
 
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...Vincenzo Barone
 
Rocky Burt Subtyping Unleashed
Rocky Burt Subtyping UnleashedRocky Burt Subtyping Unleashed
Rocky Burt Subtyping UnleashedVincenzo Barone
 
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...Vincenzo Barone
 
Wageindicator Foundation: a Case Study
Wageindicator Foundation: a Case StudyWageindicator Foundation: a Case Study
Wageindicator Foundation: a Case StudyVincenzo Barone
 
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product DevelopmentTom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product DevelopmentVincenzo Barone
 
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...Vincenzo Barone
 
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...Vincenzo Barone
 
Wichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org InfrastructureWichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org InfrastructureVincenzo Barone
 
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...Vincenzo Barone
 
Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips Vincenzo Barone
 
Duncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And FutureDuncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And FutureVincenzo Barone
 
Jeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your WillJeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your WillVincenzo Barone
 
Jared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ NovellJared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ NovellVincenzo Barone
 
Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future Vincenzo Barone
 
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...Vincenzo Barone
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Vincenzo Barone
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

Contenu connexe

Plus de Vincenzo Barone

How to market Plone the Web2.0 way
How to market Plone the Web2.0 wayHow to market Plone the Web2.0 way
How to market Plone the Web2.0 wayVincenzo Barone
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Vincenzo Barone
 
Wichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org SetupWichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org SetupVincenzo Barone
 
Philipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken CodePhilipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken CodeVincenzo Barone
 
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...Vincenzo Barone
 
Rocky Burt Subtyping Unleashed
Rocky Burt Subtyping UnleashedRocky Burt Subtyping Unleashed
Rocky Burt Subtyping UnleashedVincenzo Barone
 
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...Vincenzo Barone
 
Wageindicator Foundation: a Case Study
Wageindicator Foundation: a Case StudyWageindicator Foundation: a Case Study
Wageindicator Foundation: a Case StudyVincenzo Barone
 
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product DevelopmentTom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product DevelopmentVincenzo Barone
 
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...Vincenzo Barone
 
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...Vincenzo Barone
 
Wichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org InfrastructureWichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org InfrastructureVincenzo Barone
 
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...Vincenzo Barone
 
Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips Vincenzo Barone
 
Duncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And FutureDuncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And FutureVincenzo Barone
 
Jeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your WillJeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your WillVincenzo Barone
 
Jared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ NovellJared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ NovellVincenzo Barone
 
Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future Vincenzo Barone
 
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...Vincenzo Barone
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Vincenzo Barone
 

Plus de Vincenzo Barone (20)

How to market Plone the Web2.0 way
How to market Plone the Web2.0 wayHow to market Plone the Web2.0 way
How to market Plone the Web2.0 way
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
 
Wichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org SetupWichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org Setup
 
Philipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken CodePhilipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken Code
 
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
 
Rocky Burt Subtyping Unleashed
Rocky Burt Subtyping UnleashedRocky Burt Subtyping Unleashed
Rocky Burt Subtyping Unleashed
 
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
 
Wageindicator Foundation: a Case Study
Wageindicator Foundation: a Case StudyWageindicator Foundation: a Case Study
Wageindicator Foundation: a Case Study
 
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product DevelopmentTom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
 
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
 
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
 
Wichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org InfrastructureWichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org Infrastructure
 
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
 
Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips
 
Duncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And FutureDuncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And Future
 
Jeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your WillJeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your Will
 
Jared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ NovellJared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ Novell
 
Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future
 
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
 

Dernier

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Dernier (20)

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Testing Plone Site Security Policy - Is Your Intranet Doing What You Think It Is?

  • 1. Testing Plone Site Security Policy (Is your intranet doing what you think it is?) Matt Hamilton Netsight Internet Solutions, UK understand, develop, deliver. www.netsight.co.uk
  • 2. What this talk is NOT • Not talking about security vulnerabilities • Not talking about code unit testing • Not talking about penetration testing understand, develop, deliver. www.netsight.co.uk
  • 3. So what IS this talk? It goes something a bit like this: understand, develop, deliver. www.netsight.co.uk
  • 4. So what IS this talk? It goes something a bit like this: Is our intranet secure? Boss understand, develop, deliver. www.netsight.co.uk
  • 5. So what IS this talk? It goes something a bit like this: Is our intranet secure? Boss Yes of course! You understand, develop, deliver. www.netsight.co.uk
  • 6. So what IS this talk? understand, develop, deliver. www.netsight.co.uk
  • 7. So what IS this talk? • But is it really?! Lets think about this: understand, develop, deliver. www.netsight.co.uk
  • 8. So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone understand, develop, deliver. www.netsight.co.uk
  • 9. So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types understand, develop, deliver. www.netsight.co.uk
  • 10. So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types ➡ You created a custom workflow understand, develop, deliver. www.netsight.co.uk
  • 11. So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types ➡ You created a custom workflow ➡ Users have group memberships, local roles, etc understand, develop, deliver. www.netsight.co.uk
  • 12. So what IS this talk? So our site is now quite complex in terms of who should be allowed to do what and where understand, develop, deliver. www.netsight.co.uk
  • 13. Our use-case understand, develop, deliver. www.netsight.co.uk
  • 15. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ understand, develop, deliver. www.netsight.co.uk
  • 16. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects understand, develop, deliver. www.netsight.co.uk
  • 17. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret understand, develop, deliver. www.netsight.co.uk
  • 18. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager understand, develop, deliver. www.netsight.co.uk
  • 19. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager - Content within a project may be in various states: Private, Draft, Pending, Published understand, develop, deliver. www.netsight.co.uk
  • 20. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager - Content within a project may be in various states: Private, Draft, Pending, Published understand, develop, deliver. www.netsight.co.uk
  • 22. So.... • If a piece of content is in the pending state, in a private project, in which I am a member and contributor, should I be able to edit it? understand, develop, deliver. www.netsight.co.uk
  • 23. So.... • If a piece of content is in the pending state, in a private project, in which I am a member and contributor, should I be able to edit it? • If a project is in the secret state, and I am a non-member should I be able to view the project description? understand, develop, deliver. www.netsight.co.uk
  • 24. Policy decisions understand, develop, deliver. www.netsight.co.uk
  • 25. Policy decisions • These are POLICY decisions for the site, not really CODE decisions. understand, develop, deliver. www.netsight.co.uk
  • 26. Policy decisions • These are POLICY decisions for the site, not really CODE decisions. - ie. these are high level objectives set by analysts/managers not coders understand, develop, deliver. www.netsight.co.uk
  • 27. Policy decisions • These are POLICY decisions for the site, not really CODE decisions. - ie. these are high level objectives set by analysts/managers not coders - But they will catch errors in the code or customisation understand, develop, deliver. www.netsight.co.uk
  • 29. Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations understand, develop, deliver. www.netsight.co.uk
  • 30. Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations understand, develop, deliver. www.netsight.co.uk
  • 31. Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations • And for each one we want to test: can I View, Edit, List, Delete, Add.... understand, develop, deliver. www.netsight.co.uk
  • 32. Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations • And for each one we want to test: can I View, Edit, List, Delete, Add.... • For Belron.net we had approx 1,300 tests needed understand, develop, deliver. www.netsight.co.uk
  • 33. An idea... • What if there was a nice easy way to test all these different permutations in an automated way and drive it all from a manager-friendly spreadsheet and be able to visually see the results? understand, develop, deliver. www.netsight.co.uk
  • 34. PolicyTestCase • Similar to PloneTestCase • Write a bunch of tests • Export a spreadsheet as CSV • Run the tests • See the results in a table understand, develop, deliver. www.netsight.co.uk
  • 35. PolicyTestCase class TestDefaultPlone(PolicyTestCase): def afterSetUp(self): # Setup the state, eg workflow etc def ViewContent(self): # Test we can view the content def NoViewContent(self): # Test we can NOT view the content understand, develop, deliver. www.netsight.co.uk
  • 36. PolicyTestCase def test_suite(): from unittest import TestSuite suite = TestSuite() csv = open('%s/test_scenarios_simple2.csv' % PACKAGE_HOME) suite.addTest(makeSuiteFromCSV(TestDefaultPlone, csv)) return suite understand, develop, deliver. www.netsight.co.uk
  • 37. Demo Demo and walkthrough of the code understand, develop, deliver. www.netsight.co.uk
  • 38. Questions? Any questions? Matt Hamilton matth@netsight.co.uk PolicyTestCase: in collective, will do a release real soon now ;) understand, develop, deliver. www.netsight.co.uk