Gitiles
Code Review Sign In
gerrit.opencord.org / xos / b69f47009f8ce704a16dadaa4f4b4a87ea86fe5d / . / lib / xos-genx / tests / xos_security_test.py
blob: e6d2c6c218446eba573f005c16cf0bffe3432def [file] [log] [blame]
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]1import unittest
2from xosgenx.generator import XOSGenerator
3from helpers import FakeArgs, XProtoTestHelpers
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame^]4import pdb
5import mock
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]6
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400[diff] [blame]7"""The function below is for eliminating warnings arising due to the missing policy_output_enforcer,
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]8which is generated and loaded dynamically.
9"""
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400[diff] [blame]10def policy_output_enforcer(x, y):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]11 raise Exception("Security enforcer not generated. Test failed.")
12 return False
13
14"""
15The tests below use the Python code target to generate
16Python security policies, set up an appropriate environment and execute the Python.
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame^]17The security policies here deliberately made complex in order to stress the processor.
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]18"""
19class XProtoXOSSecurityTest(unittest.TestCase):
20 def setUp(self):
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400[diff] [blame]21 self.target = XProtoTestHelpers.write_tmp_target("{{ xproto_fol_to_python_test('output',proto.policies.test_policy, None, '0') }}")
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]22
23 """
24 This is the security policy for controllers
25 """
26 def test_controller_policy(self):
27 xproto = \
28"""
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame^]29 policy test_policy < ctx.user.is_admin | exists Privilege: Privilege.accessor_id = ctx.user.id & Privilege.object_type = "Deployment" & Privilege.permission = "role:admin" & Privilege.object_id = obj.id >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]30"""
31 args = FakeArgs()
32 args.inputs = xproto
33 args.target = self.target
34
35 output = XOSGenerator.generate(args)
36
37 exec(output) # This loads the generated function, which should look like this:
38
39 """
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400[diff] [blame]40 def policy_output_enforcer(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]41 i2 = ctx.user.is_admin
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame^]42 i3 = Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(object_type='Deployment'), Q(permission='role:admin'), Q(object_id=obj.id))[0]
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]43 i1 = (i2 or i3)
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame^]44 return i1
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]45 """
46
47 # FIXME: Test this policy by executing it
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400[diff] [blame]48 self.assertTrue(policy_output_enforcer is not None)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]49
50 """
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame^]51 This is the security policy for ControllerNetworks
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]52 """
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame^]53 def test_controller_network_policy(self):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]54 xproto = \
55"""
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame^]56 policy test_policy <
57 ctx.user.is_admin
58 | (exists Privilege:
59 Privilege.accessor_id = ctx.user.id
60 & Privilege.accessor_type = "User"
61 & Privilege.object_type = "Slice"
62 & Privilege.object_id = obj.owner.id)
63 | (exists Privilege:
64 Privilege.accessor_id = ctx.user.id
65 & Privilege.accessor_type = "User"
66 & Privilege.object_type = "Site"
67 & Privilege.object_id = obj.owner.site.id
68 & Privilege.permission = "role:admin") >
69"""
70 args = FakeArgs()
71 args.inputs = xproto
72 args.target = self.target
73
74 output = XOSGenerator.generate(args)
75 exec(output) # This loads the generated function, which should look like this:
76
77 """
78 def policy_output_enforcer(obj, ctx):
79 i2 = ctx.user.is_admin
80 i4 = Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(object_type='Slice'), Q(object_id=obj.owner.id))[0]
81 i5 = Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(object_type='Site'), Q(object_id=obj.owner.site.id), Q(permission='role:admin'))[0]
82 i3 = (i4 or i5)
83 i1 = (i2 or i3)
84 return i1
85 """
86
87 # FIXME: Test this policy by executing it
88 self.assertTrue(policy_output_enforcer is not None)
89
90 """
91 This is the security policy for Slices
92 """
93 def test_slice_policy(self):
94 xproto = \
95"""
96 policy site_policy <
97 ctx.user.is_admin
98 | (ctx.write_access -> exists Privilege: Privilege.object_type = "Site" & Privilege.object_id = obj.id & Privilege.accessor_id = ctx.user.id & Privilege.permission_id = "role:admin") >
99
100 policy test_policy <
101 ctx.user.is_admin
102 | (*site_policy(site)
103 & ((exists Privilege:
104 Privilege.accessor_id = ctx.user.id
105 & Privilege.accessor_type = "User"
106 & Privilege.object_type = "Slice"
107 & Privilege.object_id = obj.id
108 & (ctx.write_access->Privilege.permission="role:admin"))
109 | (exists Privilege:
110 Privilege.accessor_id = ctx.user.id
111 & Privilege.accessor_type = "User"
112 & Privilege.object_type = "Site"
113 & Privilege.object_id = obj.site.id
114 & Privilege.permission = "role:admin"))
115 )>
116
117"""
118 args = FakeArgs()
119 args.inputs = xproto
120 args.target = self.target
121
122 output = XOSGenerator.generate(args)
123
124 exec(output) # This loads the generated function, which should look like this:
125
126 """
127 def policy_output_enforcer(obj, ctx):
128 i2 = ctx.user.is_admin
129 i4 = policy_site_policy_enforcer(obj.site, ctx)
130 i10 = ctx.write_access
131 i11 = (not (not Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(object_type='Slice'), Q(object_id=obj.id), Q(permission='role:admin'))))
132 i8 = (i10 and i11)
133 i14 = ctx.write_access
134 i12 = (not i14)
135 i13 = (not (not Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(object_type='Slice'), Q(object_id=obj.id))))
136 i9 = (i12 and i13)
137 i6 = (i8 or i9)
138 i7 = (not (not Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(object_type='Site'), Q(object_id=obj.site.id), Q(permission='role:admin'))))
139 i5 = (i6 or i7)
140 i3 = (i4 and i5)
141 i1 = (i2 or i3)
142 return i1
143 """
144
145 # FIXME: Test this policy by executing it
146 self.assertTrue(policy_output_enforcer is not None)
147
148 """
149 This is the security policy for Users
150 """
151 def test_user_policy(self):
152 xproto = \
153"""
154 policy test_policy <
155 ctx.user.is_admin
156 | ctx.user.id = obj.id
157 | (exists Privilege:
158 Privilege.accessor_id = ctx.user.id
159 & Privilege.accessor_type = "User"
160 & Privilege.permission = "role:admin"
161 & Privilege.object_type = "Site"
162 & Privilege.object_id = ctx.user.site.id) >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]163"""
164 args = FakeArgs()
165 args.inputs = xproto
166 args.target = self.target
167
168 output = XOSGenerator.generate(args)
169
170 exec(output) # This loads the generated function, which should look like this:
171
172 """
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400[diff] [blame]173 def policy_output_enforcer(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]174 i2 = ctx.user.is_admin
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame^]175 i4 = (ctx.user.id == obj.id)
176 i5 = Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(permission='role:admin'), Q(object_type='Site'), Q(object_id=ctx.user.site.id))[0]
177 i3 = (i4 or i5)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]178 i1 = (i2 or i3)
179 return i1
180 """
181
182 # FIXME: Test this policy by executing it
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400[diff] [blame]183 self.assertTrue(policy_output_enforcer is not None)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]184
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]185if __name__ == '__main__':
186 unittest.main()