Gitiles
Code Review Sign In
gerrit.opencord.org / xos / c2fddaa669ad74e6ac0e2b9b22b79bff43e109ec / . / lib / xos-genx / xos-genx-tests / test_general_security.py
blob: c675b16256e78601094f1095d7868ac309fd7b21 [file] [log] [blame]
Matteo Scandolod2044a42017-08-07 16:08:28 -0700[diff] [blame]1# Copyright 2017-present Open Networking Foundation
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]16import unittest
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame]17from xosgenx.generator import XOSProcessor, XOSProcessorArgs
18from helpers import XProtoTestHelpers, FakeObject
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]19
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]20"""The function below is for eliminating warnings arising due to the missing output_security_check,
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]21which is generated and loaded dynamically.
22"""
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]23
24
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]25def output_security_check(x, y):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]26 raise Exception("Security enforcer not generated. Test failed.")
27 return False
28
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]29
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]30"""
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]31The tests below use the Python code target to generate
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]32Python security policies, set up an appropriate environment and execute the Python.
33"""
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]34
35
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]36class XProtoSecurityTest(unittest.TestCase):
37 def setUp(self):
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]38 self.target = XProtoTestHelpers.write_tmp_target(
39 """
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]40{% for name, policy in proto.policies.items() %}
41{{ xproto_fol_to_python_test(name, policy, None, '0') }}
42{% endfor %}
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]43"""
44 )
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]45
46 def test_constant(self):
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]47 xproto = """
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]48 policy output < True >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]49"""
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]50 args = XOSProcessorArgs(inputs=xproto, target=self.target)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]51
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]52 output = XOSProcessor.process(args)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]53
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]54 exec(output) # This loads the generated function, which should look like this:
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]55
56 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]57 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]58 i1 = True
59 return i1
60 """
61
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]62 verdict = output_security_check({}, {})
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]63 self.assertTrue(verdict)
64
65 def test_equal(self):
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]66 xproto = """
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]67 policy output < ctx.user = obj.user >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]68"""
69
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]70 args = XOSProcessorArgs(inputs=xproto, target=self.target)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]71
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]72 output = XOSProcessor.process(args)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]73
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]74 exec(output) # This loads the generated function, which should look like this:
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]75
76 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]77 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]78 i1 = (ctx.user == obj.user)
79 return i1
80 """
81
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame]82 obj = FakeObject()
83 obj.user = 1
84 ctx = FakeObject()
85 ctx.user = 1
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]86
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]87 verdict = output_security_check(obj, ctx)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]88
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]89 def test_call_policy(self):
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]90 xproto = """
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]91 policy sub_policy < ctx.user = obj.user >
92 policy output < *sub_policy(child) >
93"""
94
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]95 args = XOSProcessorArgs(inputs=xproto, target=self.target)
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]96
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]97 output = XOSProcessor.process(args)
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]98
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]99 exec(
100 output, globals()
101 ) # This loads the generated function, which should look like this:
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]102
103 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]104 def sub_policy_security_check(obj, ctx):
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]105 i1 = (ctx.user == obj.user)
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]106 return i1
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]107
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]108 def output_security_check(obj, ctx):
109 if obj.child:
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]110 i1 = sub_policy_security_check(obj.child, ctx)
111 else:
112 i1 = True
113 return i1
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]114 """
115
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame]116 obj = FakeObject()
117 obj.child = FakeObject()
118 obj.child.user = 1
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]119
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame]120 ctx = FakeObject()
121 ctx.user = 1
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]122
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]123 verdict = output_security_check(obj, ctx)
124 self.assertTrue(verdict)
125
126 def test_call_policy_child_none(self):
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]127 xproto = """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]128 policy sub_policy < ctx.user = obj.user >
129 policy output < *sub_policy(child) >
130"""
131
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]132 args = XOSProcessorArgs(inputs=xproto, target=self.target)
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]133
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]134 output = XOSProcessor.process(args)
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]135
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]136 exec(
137 output, globals()
138 ) # This loads the generated function, which should look like this:
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]139
140 """
141 def sub_policy_security_check(obj, ctx):
142 i1 = (ctx.user == obj.user)
143 return i1
144
145 def output_security_check(obj, ctx):
146 if obj.child:
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]147 i1 = sub_policy_security_check(obj.child, ctx)
148 else:
149 i1 = True
150 return i1
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]151 """
152
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame]153 obj = FakeObject()
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]154 obj.child = None
155
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame]156 ctx = FakeObject()
157 ctx.user = 1
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]158
Sapan Bhatiac6543dd2017-12-07 11:40:36 -0500[diff] [blame]159 verdict = output_security_check(obj, ctx)
160 self.assertTrue(verdict)
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]161
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]162 def test_bin(self):
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]163 xproto = """
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]164 policy output < ctx.is_admin = True | obj.empty = True>
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]165"""
166
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]167 args = XOSProcessorArgs(inputs=xproto, target=self.target)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]168
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]169 output = XOSProcessor.process(args)
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]170 exec(output) # This loads the generated function, which should look like this:
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]171
172 """
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]173 def output_security_check(obj, ctx):
174 i2 = (ctx.is_admin == True)
175 i3 = (obj.empty == True)
176 i1 = (i2 or i3)
177 return i1
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]178 """
179
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame]180 obj = FakeObject()
181 obj.empty = True
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]182
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame]183 ctx = FakeObject()
184 ctx.is_admin = True
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]185
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]186 verdict = output_security_check(obj, ctx)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]187
188 self.assertTrue(verdict)
189
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]190 def test_exists(self):
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]191 xproto = """
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]192 policy output < exists Privilege: Privilege.object_id = obj.id >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]193"""
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]194 args = XOSProcessorArgs(inputs=xproto, target=self.target)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]195
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]196 output = XOSProcessor.process(args)
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]197 exec(output) # This loads the generated function, which should look like this:
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]198
199 """
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]200 def output_security_check(obj, ctx):
201 i1 = Privilege.objects.filter(object_id=obj.id)
202 return i1
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]203 """
204
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]205 self.assertTrue(output_security_check is not None)
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]206
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]207 def test_python(self):
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]208 xproto = """
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]209 policy output < {{ "jack" in ["the", "box"] }} = False >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]210"""
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]211 args = XOSProcessorArgs(inputs=xproto, target=self.target)
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]212 output = XOSProcessor.process(args)
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]213 exec(output) # This loads the generated function, which should look like this:
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]214
215 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]216 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]217 i2 = ('jack' in ['the', 'box'])
218 i1 = (i2 == False)
219 return i1
220 """
221
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]222 self.assertTrue(output_security_check({}, {}) is True)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]223
224 def test_forall(self):
225 # This one we only parse
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]226 xproto = """
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]227 policy output < forall Credential: Credential.obj_id = obj_id >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]228"""
229
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]230 args = XOSProcessorArgs(inputs=xproto, target=self.target)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]231
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]232 output = XOSProcessor.process(args)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]233 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]234 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]235 i2 = Credential.objects.filter((~ Q(obj_id=obj_id)))[0]
236 i1 = (not i2)
237 return i1
238 """
239 exec(output)
240
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]241
242if __name__ == "__main__":
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]243 unittest.main()