Gitiles
Code Review Sign In
gerrit.opencord.org / xos / 1f7791dae3d36bd5d5c916e643ed4620159a34d5 / . / lib / xos-genx / xos-genx-tests / test_general_security.py
blob: 1a7b7ca82e516df80d74f0361e4300cba881cb67 [file] [log] [blame]
Matteo Scandolod2044a42017-08-07 16:08:28 -0700[diff] [blame]1
2# Copyright 2017-present Open Networking Foundation
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]17import unittest
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame^]18from xosgenx.generator import XOSProcessor, XOSProcessorArgs
19from helpers import XProtoTestHelpers, FakeObject
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]20
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]21"""The function below is for eliminating warnings arising due to the missing output_security_check,
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]22which is generated and loaded dynamically.
23"""
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]24def output_security_check(x, y):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]25 raise Exception("Security enforcer not generated. Test failed.")
26 return False
27
28"""
29The tests below use the Python code target to generate
30Python security policies, set up an appropriate environment and execute the Python.
31"""
32class XProtoSecurityTest(unittest.TestCase):
33 def setUp(self):
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]34 self.target = XProtoTestHelpers.write_tmp_target("""
35{% for name, policy in proto.policies.items() %}
36{{ xproto_fol_to_python_test(name, policy, None, '0') }}
37{% endfor %}
38""")
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]39
40 def test_constant(self):
41 xproto = \
42"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]43 policy output < True >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]44"""
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame^]45 args = XOSProcessorArgs(inputs = xproto,
46 target = self.target)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]47
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]48 output = XOSProcessor.process(args)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]49
50 exec(output) # This loads the generated function, which should look like this:
51
52 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]53 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]54 i1 = True
55 return i1
56 """
57
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]58 verdict = output_security_check({}, {})
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]59 self.assertTrue(verdict)
60
61 def test_equal(self):
62 xproto = \
63"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]64 policy output < ctx.user = obj.user >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]65"""
66
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame^]67 args = XOSProcessorArgs(inputs = xproto,
68 target = self.target)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]69
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]70 output = XOSProcessor.process(args)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]71
72 exec(output) # This loads the generated function, which should look like this:
73
74 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]75 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]76 i1 = (ctx.user == obj.user)
77 return i1
78 """
79
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame^]80 obj = FakeObject()
81 obj.user = 1
82 ctx = FakeObject()
83 ctx.user = 1
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]84
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]85 verdict = output_security_check(obj, ctx)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]86
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]87 def test_call_policy(self):
88 xproto = \
89"""
90 policy sub_policy < ctx.user = obj.user >
91 policy output < *sub_policy(child) >
92"""
93
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame^]94 args = XOSProcessorArgs(inputs = xproto,
95 target = self.target)
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]96
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]97 output = XOSProcessor.process(args)
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]98
99 exec(output,globals()) # This loads the generated function, which should look like this:
100
101 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]102 def sub_policy_security_check(obj, ctx):
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]103 i1 = (ctx.user == obj.user)
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]104 return i1
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]105
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]106 def output_security_check(obj, ctx):
107 if obj.child:
108 i1 = sub_policy_security_check(obj.child, ctx)
109 else:
110 i1 = True
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]111 return i1
112 """
113
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame^]114 obj = FakeObject()
115 obj.child = FakeObject()
116 obj.child.user = 1
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]117
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame^]118 ctx = FakeObject()
119 ctx.user = 1
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]120
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]121 verdict = output_security_check(obj, ctx)
122 self.assertTrue(verdict)
123
124 def test_call_policy_child_none(self):
125 xproto = \
126"""
127 policy sub_policy < ctx.user = obj.user >
128 policy output < *sub_policy(child) >
129"""
130
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame^]131 args = XOSProcessorArgs(inputs = xproto,
132 target = self.target)
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]133
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]134 output = XOSProcessor.process(args)
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]135
136 exec(output,globals()) # This loads the generated function, which should look like this:
137
138 """
139 def sub_policy_security_check(obj, ctx):
140 i1 = (ctx.user == obj.user)
141 return i1
142
143 def output_security_check(obj, ctx):
144 if obj.child:
145 i1 = sub_policy_security_check(obj.child, ctx)
146 else:
147 i1 = True
148 return i1
149 """
150
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame^]151 obj = FakeObject()
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]152 obj.child = None
153
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame^]154 ctx = FakeObject()
155 ctx.user = 1
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]156
Sapan Bhatiac6543dd2017-12-07 11:40:36 -0500[diff] [blame]157 verdict = output_security_check(obj, ctx)
158 self.assertTrue(verdict)
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]159
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]160 def test_bin(self):
161 xproto = \
162"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]163 policy output < ctx.is_admin = True | obj.empty = True>
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]164"""
165
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame^]166 args = XOSProcessorArgs(inputs = xproto,
167 target = self.target)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]168
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]169 output = XOSProcessor.process(args)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]170 exec(output) # This loads the generated function, which should look like this:
171
172 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]173 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]174 i2 = (ctx.is_admin == True)
175 i3 = (obj.empty == True)
176 i1 = (i2 or i3)
177 return i1
178 """
179
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame^]180 obj = FakeObject()
181 obj.empty = True
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]182
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame^]183 ctx = FakeObject()
184 ctx.is_admin = True
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]185
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]186 verdict = output_security_check(obj, ctx)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]187
188 self.assertTrue(verdict)
189
190
191 def test_exists(self):
192 xproto = \
193"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]194 policy output < exists Privilege: Privilege.object_id = obj.id >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]195"""
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame^]196 args = XOSProcessorArgs(inputs = xproto,
197 target = self.target)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]198
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]199 output = XOSProcessor.process(args)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]200 exec(output) # This loads the generated function, which should look like this:
201
202 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]203 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]204 i1 = Privilege.objects.filter(object_id=obj.id)
205 return i1
206 """
207
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]208 self.assertTrue(output_security_check is not None)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]209
210 def test_python(self):
211 xproto = \
212"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]213 policy output < {{ "jack" in ["the", "box"] }} = False >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]214"""
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame^]215 args = XOSProcessorArgs(inputs = xproto,
216 target = self.target)
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]217 output = XOSProcessor.process(args)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]218 exec(output) # This loads the generated function, which should look like this:
219
220 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]221 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]222 i2 = ('jack' in ['the', 'box'])
223 i1 = (i2 == False)
224 return i1
225 """
226
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]227 self.assertTrue(output_security_check({}, {}) is True)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]228
229 def test_forall(self):
230 # This one we only parse
231 xproto = \
232"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]233 policy output < forall Credential: Credential.obj_id = obj_id >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]234"""
235
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame^]236 args = XOSProcessorArgs(inputs = xproto,
237 target = self.target)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]238
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]239 output = XOSProcessor.process(args)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]240 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]241 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]242 i2 = Credential.objects.filter((~ Q(obj_id=obj_id)))[0]
243 i1 = (not i2)
244 return i1
245 """
246 exec(output)
247
248if __name__ == '__main__':
249 unittest.main()