Gitiles
Code Review Sign In
gerrit.opencord.org / xos / e425f9d169b59c2487ef5e9a408415666c59a91f / . / lib / xos-genx / tests / xos_security_test.py
blob: a07bc7b58ee0cbc5220a143b19de2574b11f20d0 [file] [log] [blame]
Matteo Scandolod2044a42017-08-07 16:08:28 -0700[diff] [blame]1
2# Copyright 2017-present Open Networking Foundation
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]17import unittest
18from xosgenx.generator import XOSGenerator
19from helpers import FakeArgs, XProtoTestHelpers
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame]20import pdb
21import mock
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]22
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400[diff] [blame]23"""The function below is for eliminating warnings arising due to the missing policy_output_enforcer,
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]24which is generated and loaded dynamically.
25"""
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400[diff] [blame]26def policy_output_enforcer(x, y):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]27 raise Exception("Security enforcer not generated. Test failed.")
28 return False
29
30"""
31The tests below use the Python code target to generate
32Python security policies, set up an appropriate environment and execute the Python.
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame]33The security policies here deliberately made complex in order to stress the processor.
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]34"""
35class XProtoXOSSecurityTest(unittest.TestCase):
36 def setUp(self):
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400[diff] [blame]37 self.target = XProtoTestHelpers.write_tmp_target("{{ xproto_fol_to_python_test('output',proto.policies.test_policy, None, '0') }}")
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]38
39 """
40 This is the security policy for controllers
41 """
42 def test_controller_policy(self):
43 xproto = \
44"""
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame]45 policy test_policy < ctx.user.is_admin | exists Privilege: Privilege.accessor_id = ctx.user.id & Privilege.object_type = "Deployment" & Privilege.permission = "role:admin" & Privilege.object_id = obj.id >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]46"""
47 args = FakeArgs()
48 args.inputs = xproto
49 args.target = self.target
50
51 output = XOSGenerator.generate(args)
52
53 exec(output) # This loads the generated function, which should look like this:
54
55 """
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400[diff] [blame]56 def policy_output_enforcer(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]57 i2 = ctx.user.is_admin
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame]58 i3 = Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(object_type='Deployment'), Q(permission='role:admin'), Q(object_id=obj.id))[0]
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]59 i1 = (i2 or i3)
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame]60 return i1
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]61 """
62
63 # FIXME: Test this policy by executing it
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400[diff] [blame]64 self.assertTrue(policy_output_enforcer is not None)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]65
66 """
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame]67 This is the security policy for ControllerNetworks
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]68 """
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame]69 def test_controller_network_policy(self):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]70 xproto = \
71"""
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame]72 policy test_policy <
73 ctx.user.is_admin
74 | (exists Privilege:
75 Privilege.accessor_id = ctx.user.id
76 & Privilege.accessor_type = "User"
77 & Privilege.object_type = "Slice"
78 & Privilege.object_id = obj.owner.id)
79 | (exists Privilege:
80 Privilege.accessor_id = ctx.user.id
81 & Privilege.accessor_type = "User"
82 & Privilege.object_type = "Site"
83 & Privilege.object_id = obj.owner.site.id
84 & Privilege.permission = "role:admin") >
85"""
86 args = FakeArgs()
87 args.inputs = xproto
88 args.target = self.target
89
90 output = XOSGenerator.generate(args)
91 exec(output) # This loads the generated function, which should look like this:
92
93 """
94 def policy_output_enforcer(obj, ctx):
95 i2 = ctx.user.is_admin
96 i4 = Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(object_type='Slice'), Q(object_id=obj.owner.id))[0]
97 i5 = Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(object_type='Site'), Q(object_id=obj.owner.site.id), Q(permission='role:admin'))[0]
98 i3 = (i4 or i5)
99 i1 = (i2 or i3)
100 return i1
101 """
102
103 # FIXME: Test this policy by executing it
104 self.assertTrue(policy_output_enforcer is not None)
105
106 """
107 This is the security policy for Slices
108 """
109 def test_slice_policy(self):
110 xproto = \
111"""
112 policy site_policy <
113 ctx.user.is_admin
114 | (ctx.write_access -> exists Privilege: Privilege.object_type = "Site" & Privilege.object_id = obj.id & Privilege.accessor_id = ctx.user.id & Privilege.permission_id = "role:admin") >
115
116 policy test_policy <
117 ctx.user.is_admin
118 | (*site_policy(site)
119 & ((exists Privilege:
120 Privilege.accessor_id = ctx.user.id
121 & Privilege.accessor_type = "User"
122 & Privilege.object_type = "Slice"
123 & Privilege.object_id = obj.id
124 & (ctx.write_access->Privilege.permission="role:admin"))
125 | (exists Privilege:
126 Privilege.accessor_id = ctx.user.id
127 & Privilege.accessor_type = "User"
128 & Privilege.object_type = "Site"
129 & Privilege.object_id = obj.site.id
130 & Privilege.permission = "role:admin"))
131 )>
132
133"""
134 args = FakeArgs()
135 args.inputs = xproto
136 args.target = self.target
137
138 output = XOSGenerator.generate(args)
139
140 exec(output) # This loads the generated function, which should look like this:
141
142 """
143 def policy_output_enforcer(obj, ctx):
144 i2 = ctx.user.is_admin
145 i4 = policy_site_policy_enforcer(obj.site, ctx)
146 i10 = ctx.write_access
147 i11 = (not (not Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(object_type='Slice'), Q(object_id=obj.id), Q(permission='role:admin'))))
148 i8 = (i10 and i11)
149 i14 = ctx.write_access
150 i12 = (not i14)
151 i13 = (not (not Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(object_type='Slice'), Q(object_id=obj.id))))
152 i9 = (i12 and i13)
153 i6 = (i8 or i9)
154 i7 = (not (not Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(object_type='Site'), Q(object_id=obj.site.id), Q(permission='role:admin'))))
155 i5 = (i6 or i7)
156 i3 = (i4 and i5)
157 i1 = (i2 or i3)
158 return i1
159 """
160
161 # FIXME: Test this policy by executing it
162 self.assertTrue(policy_output_enforcer is not None)
163
164 """
165 This is the security policy for Users
166 """
167 def test_user_policy(self):
168 xproto = \
169"""
170 policy test_policy <
171 ctx.user.is_admin
172 | ctx.user.id = obj.id
173 | (exists Privilege:
174 Privilege.accessor_id = ctx.user.id
175 & Privilege.accessor_type = "User"
176 & Privilege.permission = "role:admin"
177 & Privilege.object_type = "Site"
178 & Privilege.object_id = ctx.user.site.id) >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]179"""
180 args = FakeArgs()
181 args.inputs = xproto
182 args.target = self.target
183
184 output = XOSGenerator.generate(args)
185
186 exec(output) # This loads the generated function, which should look like this:
187
188 """
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400[diff] [blame]189 def policy_output_enforcer(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]190 i2 = ctx.user.is_admin
Sapan Bhatiab69f4702017-07-31 16:03:33 -0400[diff] [blame]191 i4 = (ctx.user.id == obj.id)
192 i5 = Privilege.objects.filter(Q(accessor_id=ctx.user.id), Q(accessor_type='User'), Q(permission='role:admin'), Q(object_type='Site'), Q(object_id=ctx.user.site.id))[0]
193 i3 = (i4 or i5)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]194 i1 = (i2 or i3)
195 return i1
196 """
197
198 # FIXME: Test this policy by executing it
Sapan Bhatia5ea307d2017-07-19 00:13:21 -0400[diff] [blame]199 self.assertTrue(policy_output_enforcer is not None)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]200
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]201if __name__ == '__main__':
202 unittest.main()