blob: 2c704ac7804cd596ee5eceba4a926d472c80b3e6 [file] [log] [blame]
Matteo Scandolod2044a42017-08-07 16:08:28 -07001
2# Copyright 2017-present Open Networking Foundation
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -040017import unittest
Sapan Bhatiabfb233a2018-02-09 14:53:09 -080018from xosgenx.generator import XOSProcessor
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -040019from helpers import FakeArgs, XProtoTestHelpers
Sapan Bhatiab69f4702017-07-31 16:03:33 -040020import pdb
21import mock
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -040022
Sapan Bhatia5ea307d2017-07-19 00:13:21 -040023"""The function below is for eliminating warnings arising due to the missing policy_output_enforcer,
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -040024which is generated and loaded dynamically.
25"""
Sapan Bhatia5ea307d2017-07-19 00:13:21 -040026def policy_output_enforcer(x, y):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -040027 raise Exception("Security enforcer not generated. Test failed.")
28 return False
29
30"""
31The tests below use the Python code target to generate
32Python security policies, set up an appropriate environment and execute the Python.
Sapan Bhatiab69f4702017-07-31 16:03:33 -040033The security policies here deliberately made complex in order to stress the processor.
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -040034"""
35class XProtoXOSSecurityTest(unittest.TestCase):
36 def setUp(self):
Sapan Bhatia5ea307d2017-07-19 00:13:21 -040037 self.target = XProtoTestHelpers.write_tmp_target("{{ xproto_fol_to_python_test('output',proto.policies.test_policy, None, '0') }}")
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -040038
39 """
40 This is the security policy for controllers
41 """
42 def test_controller_policy(self):
43 xproto = \
44"""
Sapan Bhatiab69f4702017-07-31 16:03:33 -040045 policy test_policy < ctx.user.is_admin | exists Privilege: Privilege.accessor_id = ctx.user.id & Privilege.object_type = "Deployment" & Privilege.permission = "role:admin" & Privilege.object_id = obj.id >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -040046"""
47 args = FakeArgs()
48 args.inputs = xproto
49 args.target = self.target
50
Sapan Bhatiabfb233a2018-02-09 14:53:09 -080051 output = XOSProcessor.process(args)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -040052
53 exec(output) # This loads the generated function, which should look like this:
54
55 """
Sapan Bhatia5ea307d2017-07-19 00:13:21 -040056 def policy_output_enforcer(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -040057 i2 = ctx.user.is_admin
Sapan Bhatiab69f4702017-07-31 16:03:33 -040058 i3 = Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(object_type='Deployment'), Q(permission='role:admin'), Q(object_id=obj.id))[0]
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -040059 i1 = (i2 or i3)
Sapan Bhatiab69f4702017-07-31 16:03:33 -040060 return i1
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -040061 """
62
63 # FIXME: Test this policy by executing it
Sapan Bhatia5ea307d2017-07-19 00:13:21 -040064 self.assertTrue(policy_output_enforcer is not None)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -040065
66 """
Sapan Bhatiab69f4702017-07-31 16:03:33 -040067 This is the security policy for ControllerNetworks
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -040068 """
Sapan Bhatiab69f4702017-07-31 16:03:33 -040069 def test_controller_network_policy(self):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -040070 xproto = \
71"""
Sapan Bhatiab69f4702017-07-31 16:03:33 -040072 policy test_policy <
73 ctx.user.is_admin
74 | (exists Privilege:
75 Privilege.accessor_id = ctx.user.id
76 & Privilege.accessor_type = "User"
77 & Privilege.object_type = "Slice"
78 & Privilege.object_id = obj.owner.id)
79 | (exists Privilege:
80 Privilege.accessor_id = ctx.user.id
81 & Privilege.accessor_type = "User"
82 & Privilege.object_type = "Site"
83 & Privilege.object_id = obj.owner.site.id
84 & Privilege.permission = "role:admin") >
85"""
86 args = FakeArgs()
87 args.inputs = xproto
88 args.target = self.target
89
Sapan Bhatiabfb233a2018-02-09 14:53:09 -080090 output = XOSProcessor.process(args)
Sapan Bhatiab69f4702017-07-31 16:03:33 -040091 exec(output) # This loads the generated function, which should look like this:
92
93 """
94 def policy_output_enforcer(obj, ctx):
95 i2 = ctx.user.is_admin
96 i4 = Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(object_type='Slice'), Q(object_id=obj.owner.id))[0]
97 i5 = Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(object_type='Site'), Q(object_id=obj.owner.site.id), Q(permission='role:admin'))[0]
98 i3 = (i4 or i5)
99 i1 = (i2 or i3)
100 return i1
101 """
102
103 # FIXME: Test this policy by executing it
104 self.assertTrue(policy_output_enforcer is not None)
105
106 """
107 This is the security policy for Slices
108 """
109 def test_slice_policy(self):
110 xproto = \
111"""
112 policy site_policy <
113 ctx.user.is_admin
114 | (ctx.write_access -> exists Privilege: Privilege.object_type = "Site" & Privilege.object_id = obj.id & Privilege.accessor_id = ctx.user.id & Privilege.permission_id = "role:admin") >
115
116 policy test_policy <
117 ctx.user.is_admin
118 | (*site_policy(site)
119 & ((exists Privilege:
120 Privilege.accessor_id = ctx.user.id
121 & Privilege.accessor_type = "User"
122 & Privilege.object_type = "Slice"
123 & Privilege.object_id = obj.id
124 & (ctx.write_access->Privilege.permission="role:admin"))
125 | (exists Privilege:
126 Privilege.accessor_id = ctx.user.id
127 & Privilege.accessor_type = "User"
128 & Privilege.object_type = "Site"
129 & Privilege.object_id = obj.site.id
130 & Privilege.permission = "role:admin"))
131 )>
132
133"""
134 args = FakeArgs()
135 args.inputs = xproto
136 args.target = self.target
137
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800138 output = XOSProcessor.process(args)
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400139
140 exec(output) # This loads the generated function, which should look like this:
141
142 """
143 def policy_output_enforcer(obj, ctx):
144 i2 = ctx.user.is_admin
145 i4 = policy_site_policy_enforcer(obj.site, ctx)
146 i10 = ctx.write_access
147 i11 = (not (not Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(object_type='Slice'), Q(object_id=obj.id), Q(permission='role:admin'))))
148 i8 = (i10 and i11)
149 i14 = ctx.write_access
150 i12 = (not i14)
151 i13 = (not (not Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(object_type='Slice'), Q(object_id=obj.id))))
152 i9 = (i12 and i13)
153 i6 = (i8 or i9)
154 i7 = (not (not Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(object_type='Site'), Q(object_id=obj.site.id), Q(permission='role:admin'))))
155 i5 = (i6 or i7)
156 i3 = (i4 and i5)
157 i1 = (i2 or i3)
158 return i1
159 """
160
161 # FIXME: Test this policy by executing it
162 self.assertTrue(policy_output_enforcer is not None)
163
164 """
165 This is the security policy for Users
166 """
167 def test_user_policy(self):
168 xproto = \
169"""
170 policy test_policy <
171 ctx.user.is_admin
172 | ctx.user.id = obj.id
173 | (exists Privilege:
174 Privilege.accessor_id = ctx.user.id
175 & Privilege.accessor_type = "User"
176 & Privilege.permission = "role:admin"
177 & Privilege.object_type = "Site"
178 & Privilege.object_id = ctx.user.site.id) >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400179"""
180 args = FakeArgs()
181 args.inputs = xproto
182 args.target = self.target
183
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800184 output = XOSProcessor.process(args)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400185
186 exec(output) # This loads the generated function, which should look like this:
187
188 """
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400189 def policy_output_enforcer(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400190 i2 = ctx.user.is_admin
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400191 i4 = (ctx.user.id == obj.id)
192 i5 = Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(permission='role:admin'), Q(object_type='Site'), Q(object_id=ctx.user.site.id))[0]
193 i3 = (i4 or i5)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400194 i1 = (i2 or i3)
195 return i1
196 """
197
198 # FIXME: Test this policy by executing it
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400199 self.assertTrue(policy_output_enforcer is not None)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400200
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400201if __name__ == '__main__':
202 unittest.main()