Gitiles
Code Review Sign In
gerrit.opencord.org / xos / b641f9060eb912470a284bfd04dd955b031af708 / . / lib / xos-genx / xos-genx-tests / general_security_test.py
blob: 60eab97f91bb152edd78137f2169dea722d57e41 [file] [log] [blame]
Matteo Scandolod2044a42017-08-07 16:08:28 -0700[diff] [blame]1
2# Copyright 2017-present Open Networking Foundation
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]17import unittest
18from xosgenx.generator import XOSGenerator
19from helpers import FakeArgs, XProtoTestHelpers
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]20
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]21"""The function below is for eliminating warnings arising due to the missing output_security_check,
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]22which is generated and loaded dynamically.
23"""
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]24def output_security_check(x, y):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]25 raise Exception("Security enforcer not generated. Test failed.")
26 return False
27
28"""
29The tests below use the Python code target to generate
30Python security policies, set up an appropriate environment and execute the Python.
31"""
32class XProtoSecurityTest(unittest.TestCase):
33 def setUp(self):
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]34 self.target = XProtoTestHelpers.write_tmp_target("""
35{% for name, policy in proto.policies.items() %}
36{{ xproto_fol_to_python_test(name, policy, None, '0') }}
37{% endfor %}
38""")
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]39
40 def test_constant(self):
41 xproto = \
42"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]43 policy output < True >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]44"""
45 args = FakeArgs()
46 args.inputs = xproto
47 args.target = self.target
48
49 output = XOSGenerator.generate(args)
50
51 exec(output) # This loads the generated function, which should look like this:
52
53 """
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]54 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]55 i1 = True
56 return i1
57 """
58
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]59 verdict = output_security_check({}, {})
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]60 self.assertTrue(verdict)
61
62 def test_equal(self):
63 xproto = \
64"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]65 policy output < ctx.user = obj.user >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]66"""
67
68 args = FakeArgs()
69 args.inputs = xproto
70 args.target = self.target
71
72 output = XOSGenerator.generate(args)
73
74 exec(output) # This loads the generated function, which should look like this:
75
76 """
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]77 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]78 i1 = (ctx.user == obj.user)
79 return i1
80 """
81
82 obj = FakeArgs()
83 obj.user = 1
84 ctx = FakeArgs()
85 ctx.user = 1
86
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]87 verdict = output_security_check(obj, ctx)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]88
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]89 def test_call_policy(self):
90 xproto = \
91"""
92 policy sub_policy < ctx.user = obj.user >
93 policy output < *sub_policy(child) >
94"""
95
96 args = FakeArgs()
97 args.inputs = xproto
98 args.target = self.target
99
100 output = XOSGenerator.generate(args)
101
102 exec(output,globals()) # This loads the generated function, which should look like this:
103
104 """
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]105 def sub_policy_security_check(obj, ctx):
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]106 i1 = (ctx.user == obj.user)
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]107 return i1
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]108
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]109 def output_security_check(obj, ctx):
110 if obj.child:
111 i1 = sub_policy_security_check(obj.child, ctx)
112 else:
113 i1 = True
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]114 return i1
115 """
116
117 obj = FakeArgs()
118 obj.child = FakeArgs()
119 obj.child.user = 1
120
121 ctx = FakeArgs()
122 ctx.user = 1
123
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]124 verdict = output_security_check(obj, ctx)
125 self.assertTrue(verdict)
126
127 def test_call_policy_child_none(self):
128 xproto = \
129"""
130 policy sub_policy < ctx.user = obj.user >
131 policy output < *sub_policy(child) >
132"""
133
134 args = FakeArgs()
135 args.inputs = xproto
136 args.target = self.target
137
138 output = XOSGenerator.generate(args)
139
140 exec(output,globals()) # This loads the generated function, which should look like this:
141
142 """
143 def sub_policy_security_check(obj, ctx):
144 i1 = (ctx.user == obj.user)
145 return i1
146
147 def output_security_check(obj, ctx):
148 if obj.child:
149 i1 = sub_policy_security_check(obj.child, ctx)
150 else:
151 i1 = True
152 return i1
153 """
154
155 obj = FakeArgs()
156 obj.child = None
157
158 ctx = FakeArgs()
159 ctx.user = 1
160
161 verdict = output_security_check(obj, ctx)
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]162 self.assertTrue(verdict)
163
Sapan Bhatia1e72b812017-09-06 11:07:26 -0400[diff] [blame]164 def test_call_policy_child_none(self):
165 xproto = \
166"""
167 policy sub_policy < ctx.user = obj.user >
168 policy output < *sub_policy(child) >
169"""
170
171 args = FakeArgs()
172 args.inputs = xproto
173 args.target = self.target
174
175 output = XOSGenerator.generate(args)
176
177 exec(output,globals()) # This loads the generated function, which should look like this:
178
179 """
180 def sub_policy_security_check(obj, ctx):
181 i1 = (ctx.user == obj.user)
182 return i1
183
184 def output_security_check(obj, ctx):
185 if obj.child:
186 i1 = sub_policy_security_check(obj.child, ctx)
187 else:
188 i1 = True
189 return i1
190 """
191
192 obj = FakeArgs()
193 obj.child = None
194
195 ctx = FakeArgs()
196 ctx.user = 1
197
198 verdict = output_security_check(obj, ctx)
199 self.assertTrue(verdict)
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]200
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]201 def test_bin(self):
202 xproto = \
203"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]204 policy output < ctx.is_admin = True | obj.empty = True>
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]205"""
206
207 args = FakeArgs()
208 args.inputs = xproto
209 args.target = self.target
210
211 output = XOSGenerator.generate(args)
212 exec(output) # This loads the generated function, which should look like this:
213
214 """
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]215 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]216 i2 = (ctx.is_admin == True)
217 i3 = (obj.empty == True)
218 i1 = (i2 or i3)
219 return i1
220 """
221
222 obj = FakeArgs()
223 obj.empty = True
224
225 ctx = FakeArgs()
226 ctx.is_admin = True
227
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]228 verdict = output_security_check(obj, ctx)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]229
230 self.assertTrue(verdict)
231
232
233 def test_exists(self):
234 xproto = \
235"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]236 policy output < exists Privilege: Privilege.object_id = obj.id >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]237"""
238 args = FakeArgs()
239 args.inputs = xproto
240 args.target = self.target
241
242 output = XOSGenerator.generate(args)
243 exec(output) # This loads the generated function, which should look like this:
244
245 """
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]246 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]247 i1 = Privilege.objects.filter(object_id=obj.id)
248 return i1
249 """
250
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]251 self.assertTrue(output_security_check is not None)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]252
253 def test_python(self):
254 xproto = \
255"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]256 policy output < {{ "jack" in ["the", "box"] }} = False >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]257"""
258 args = FakeArgs()
259 args.inputs = xproto
260 args.target = self.target
261 output = XOSGenerator.generate(args)
262 exec(output) # This loads the generated function, which should look like this:
263
264 """
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]265 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]266 i2 = ('jack' in ['the', 'box'])
267 i1 = (i2 == False)
268 return i1
269 """
270
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]271 self.assertTrue(output_security_check({}, {}) is True)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]272
273 def test_forall(self):
274 # This one we only parse
275 xproto = \
276"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]277 policy output < forall Credential: Credential.obj_id = obj_id >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]278"""
279
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]280 args = FakeArgs()
281 args.inputs = xproto
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400[diff] [blame]282 args.target = self.target
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]283
284 output = XOSGenerator.generate(args)
285 """
Sapan Bhatia122a46a2017-09-06 11:21:15 -0400[diff] [blame]286 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]287 i2 = Credential.objects.filter((~ Q(obj_id=obj_id)))[0]
288 i1 = (not i2)
289 return i1
290 """
291 exec(output)
292
293if __name__ == '__main__':
294 unittest.main()