Gitiles
Code Review Sign In
gerrit.opencord.org / xos / c3c0f0af175f08a58f5e48956ff56a4779c2c8de / . / lib / xos-genx / tests / general_security_test.py
blob: dbf8538d9385965c021595b44c1069ade9416b84 [file] [log] [blame]
Matteo Scandolod2044a42017-08-07 16:08:28 -0700[diff] [blame]1
2# Copyright 2017-present Open Networking Foundation
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]17import unittest
18from xosgenx.generator import XOSGenerator
19from helpers import FakeArgs, XProtoTestHelpers
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]20
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]21"""The function below is for eliminating warnings arising due to the missing output_security_check,
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]22which is generated and loaded dynamically.
23"""
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]24def output_security_check(x, y):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]25 raise Exception("Security enforcer not generated. Test failed.")
26 return False
27
28"""
29The tests below use the Python code target to generate
30Python security policies, set up an appropriate environment and execute the Python.
31"""
32class XProtoSecurityTest(unittest.TestCase):
33 def setUp(self):
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]34 self.target = XProtoTestHelpers.write_tmp_target("""
35{% for name, policy in proto.policies.items() %}
36{{ xproto_fol_to_python_test(name, policy, None, '0') }}
37{% endfor %}
38""")
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]39
40 def test_constant(self):
41 xproto = \
42"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]43 policy output < True >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]44"""
45 args = FakeArgs()
46 args.inputs = xproto
47 args.target = self.target
48
49 output = XOSGenerator.generate(args)
50
51 exec(output) # This loads the generated function, which should look like this:
52
53 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]54 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]55 i1 = True
56 return i1
57 """
58
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]59 verdict = output_security_check({}, {})
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]60 self.assertTrue(verdict)
61
62 def test_equal(self):
63 xproto = \
64"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]65 policy output < ctx.user = obj.user >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]66"""
67
68 args = FakeArgs()
69 args.inputs = xproto
70 args.target = self.target
71
72 output = XOSGenerator.generate(args)
73
74 exec(output) # This loads the generated function, which should look like this:
75
76 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]77 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]78 i1 = (ctx.user == obj.user)
79 return i1
80 """
81
82 obj = FakeArgs()
83 obj.user = 1
84 ctx = FakeArgs()
85 ctx.user = 1
86
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]87 verdict = output_security_check(obj, ctx)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]88
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]89 def test_call_policy(self):
90 xproto = \
91"""
92 policy sub_policy < ctx.user = obj.user >
93 policy output < *sub_policy(child) >
94"""
95
96 args = FakeArgs()
97 args.inputs = xproto
98 args.target = self.target
99
100 output = XOSGenerator.generate(args)
101
102 exec(output,globals()) # This loads the generated function, which should look like this:
103
104 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]105 def sub_policy_security_check(obj, ctx):
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]106 i1 = (ctx.user == obj.user)
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]107 return i1
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]108
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]109 def output_security_check(obj, ctx):
110 if obj.child:
111 i1 = sub_policy_security_check(obj.child, ctx)
112 else:
113 i1 = True
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]114 return i1
115 """
116
117 obj = FakeArgs()
118 obj.child = FakeArgs()
119 obj.child.user = 1
120
121 ctx = FakeArgs()
122 ctx.user = 1
123
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]124 verdict = output_security_check(obj, ctx)
125 self.assertTrue(verdict)
126
127 def test_call_policy_child_none(self):
128 xproto = \
129"""
130 policy sub_policy < ctx.user = obj.user >
131 policy output < *sub_policy(child) >
132"""
133
134 args = FakeArgs()
135 args.inputs = xproto
136 args.target = self.target
137
138 output = XOSGenerator.generate(args)
139
140 exec(output,globals()) # This loads the generated function, which should look like this:
141
142 """
143 def sub_policy_security_check(obj, ctx):
144 i1 = (ctx.user == obj.user)
145 return i1
146
147 def output_security_check(obj, ctx):
148 if obj.child:
149 i1 = sub_policy_security_check(obj.child, ctx)
150 else:
151 i1 = True
152 return i1
153 """
154
155 obj = FakeArgs()
156 obj.child = None
157
158 ctx = FakeArgs()
159 ctx.user = 1
160
161 verdict = output_security_check(obj, ctx)
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]162 self.assertTrue(verdict)
163
164
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]165 def test_bin(self):
166 xproto = \
167"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]168 policy output < ctx.is_admin = True | obj.empty = True>
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]169"""
170
171 args = FakeArgs()
172 args.inputs = xproto
173 args.target = self.target
174
175 output = XOSGenerator.generate(args)
176 exec(output) # This loads the generated function, which should look like this:
177
178 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]179 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]180 i2 = (ctx.is_admin == True)
181 i3 = (obj.empty == True)
182 i1 = (i2 or i3)
183 return i1
184 """
185
186 obj = FakeArgs()
187 obj.empty = True
188
189 ctx = FakeArgs()
190 ctx.is_admin = True
191
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]192 verdict = output_security_check(obj, ctx)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]193
194 self.assertTrue(verdict)
195
196
197 def test_exists(self):
198 xproto = \
199"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]200 policy output < exists Privilege: Privilege.object_id = obj.id >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]201"""
202 args = FakeArgs()
203 args.inputs = xproto
204 args.target = self.target
205
206 output = XOSGenerator.generate(args)
207 exec(output) # This loads the generated function, which should look like this:
208
209 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]210 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]211 i1 = Privilege.objects.filter(object_id=obj.id)
212 return i1
213 """
214
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]215 self.assertTrue(output_security_check is not None)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]216
217 def test_python(self):
218 xproto = \
219"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]220 policy output < {{ "jack" in ["the", "box"] }} = False >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]221"""
222 args = FakeArgs()
223 args.inputs = xproto
224 args.target = self.target
225 output = XOSGenerator.generate(args)
226 exec(output) # This loads the generated function, which should look like this:
227
228 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]229 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]230 i2 = ('jack' in ['the', 'box'])
231 i1 = (i2 == False)
232 return i1
233 """
234
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]235 self.assertTrue(output_security_check({}, {}) is True)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]236
237 def test_forall(self):
238 # This one we only parse
239 xproto = \
240"""
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]241 policy output < forall Credential: Credential.obj_id = obj_id >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]242"""
243
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]244 args = FakeArgs()
245 args.inputs = xproto
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400[diff] [blame]246 args.target = self.target
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]247
248 output = XOSGenerator.generate(args)
249 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]250 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]251 i2 = Credential.objects.filter((~ Q(obj_id=obj_id)))[0]
252 i1 = (not i2)
253 return i1
254 """
255 exec(output)
256
257if __name__ == '__main__':
258 unittest.main()