From 7b4da722d3dfc6db9a1c8c438bcd7c2bf2a4a8d7 Mon Sep 17 00:00:00 2001
From: Samuel Gaist <samuel.gaist@idiap.ch>
Date: Wed, 12 Sep 2018 09:54:23 +0200
Subject: [PATCH] [web][databases] Anonymize the paths to the db data

---
 beat/web/databases/api.py   | 20 ++++++++++++++++++-
 beat/web/databases/tests.py | 39 ++++++++++++++++++++++++++++++-------
 2 files changed, 51 insertions(+), 8 deletions(-)

diff --git a/beat/web/databases/api.py b/beat/web/databases/api.py
index 60bbab245..e5e05521b 100755
--- a/beat/web/databases/api.py
+++ b/beat/web/databases/api.py
@@ -25,6 +25,9 @@
 #                                                                             #
 ###############################################################################
 
+import os
+import json
+
 from django.http import HttpResponse
 from django.core.urlresolvers import reverse
 
@@ -93,6 +96,20 @@ def database_to_json(database, request_user, fields_to_return,
     return result
 
 
+def clean_paths(declaration):
+    pseudo_path = '/path_to_db_folder'
+    json_data = json.loads(declaration)
+    root_folder = json_data['root_folder']
+    cleaned_folder = os.path.basename(os.path.normpath(root_folder))
+    json_data['root_folder'] = os.path.join(pseudo_path, cleaned_folder)
+    for protocol in json_data['protocols']:
+        for set_ in protocol['sets']:
+            if 'parameters' in set_ and 'annotations' in set_['parameters']:
+                annotations_folder = set_['parameters']['annotations']
+                cleaned_folder = annotations_folder.split('/')[-2:]
+                set_['parameters']['annotations'] = os.path.join(pseudo_path, *cleaned_folder)
+    return json.dumps(json_data)
+
 #----------------------------------------------------------
 
 
@@ -227,11 +244,12 @@ class RetrieveDatabaseView(views.APIView):
             # Retrieve the code
             if 'declaration' in fields_to_return:
                 try:
-                    result['declaration'] = database.declaration_file.read()
+                    declaration = database.declaration_file.read()
                 except:
                     logger.error(traceback.format_exc())
                     return HttpResponse(status=500)
 
+                result['declaration'] = clean_paths(declaration)
 
             # Retrieve the source code
             if 'code' in fields_to_return:
diff --git a/beat/web/databases/tests.py b/beat/web/databases/tests.py
index 6b530aac4..45f8f0b3b 100644
--- a/beat/web/databases/tests.py
+++ b/beat/web/databases/tests.py
@@ -69,14 +69,15 @@ class DatabaseAPIBase(BaseTestCase):
         user = User.objects.create_user('jackdoe', 'jackdoe@test.org', '1234')
         User.objects.create_user('johndoe', 'johndoe@test.org', '1234')
 
+        self.db_name = 'test_db'
 
     def tearDown(self):
         pass
 
 
-class AttestationCreationAPI(DatabaseAPIBase):
+class DatabaseCreationAPI(DatabaseAPIBase):
     def setUp(self):
-        super(AttestationCreationAPI, self).setUp()
+        super(DatabaseCreationAPI, self).setUp()
 
         self.url = reverse('api_databases:all')
 
@@ -93,10 +94,9 @@ class AttestationCreationAPI(DatabaseAPIBase):
 
     def test_create_database_failure(self):
         self.client.login(username=settings.SYSTEM_ACCOUNT, password='1234')
-        db_name = 'test_db'
         response = self.client.post(self.url,
                                     json.dumps({
-                                        'name': db_name,
+                                        'name': self.db_name,
                                         'declaration': self.DATABASE
                                     }), content_type='application/json')
 
@@ -110,16 +110,41 @@ class AttestationCreationAPI(DatabaseAPIBase):
         dataformat.share()
 
         self.client.login(username=settings.SYSTEM_ACCOUNT, password='1234')
-        db_name = 'test_db'
+
         response = self.client.post(self.url,
                                     json.dumps({
-                                        'name': db_name,
+                                        'name': self.db_name,
                                         'declaration': self.DATABASE
                                     }), content_type='application/json')
 
         data = self.checkResponse(response, 201, content_type='application/json')
 
-        self.assertTrue(data['name'] == db_name)
+        self.assertTrue(data['name'] == self.db_name)
 
         databases = Database.objects.all()
         self.assertEqual(databases.count(), 1)
+        databases.delete()
+
+
+class DatabaseRetrievalAPI(DatabaseAPIBase):
+
+    def test_retrieve_database(self):
+        (dataformat, errors) = DataFormat.objects.create_dataformat(self.system_user, 'float', '')
+        assert dataformat, errors
+        dataformat.share()
+
+        (database, errors) = Database.objects.create_database(self.db_name, declaration=self.DATABASE)
+        assert database, errors
+        database.share()
+
+        self.client.login(username=settings.SYSTEM_ACCOUNT, password='1234')
+
+        url = reverse('api_databases:object', kwargs={'database_name': self.db_name, 'version': 1})
+
+        response = self.client.get(url, format='json')
+        data = self.checkResponse(response, 200, content_type='application/json')
+
+        declaration = json.loads(data['declaration'])
+        self.assertTrue(declaration['root_folder'].startswith('/path_to_db_folder'))
+
+        database.delete()
\ No newline at end of file
-- 
GitLab