Gitiles
Code Review Sign In
gerrit.opencord.org / xos / e52d3ea83d3a26b8d0a72cccce7898258926f5eb / . / lib / xos-genx / xos-genx-tests / test_general_security.py
blob: 26a47360b64cad1f11f4fe9b69a3e3045cae9642 [file] [log] [blame]
Matteo Scandolod2044a42017-08-07 16:08:28 -0700[diff] [blame]1# Copyright 2017-present Open Networking Foundation
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
Zack Williams9a42f872019-02-15 17:56:04 -0700[diff] [blame]15from __future__ import absolute_import
16from __future__ import print_function
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]17import unittest
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame]18from xosgenx.generator import XOSProcessor, XOSProcessorArgs
19from helpers import XProtoTestHelpers, FakeObject
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]20
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]21
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]22def output_security_check(x, y):
Zack Williams9a42f872019-02-15 17:56:04 -0700[diff] [blame]23 """
24 This function eliminates warnings arising due to the missing
25 output_security_check, which is generated and loaded dynamically. This is
26 defined in the global namespace, and in python3 the globals() namespace has
27 to be passed to calls to "exec()" for the xproto-generated version to
28 redefine this function.
29 """
30
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]31 raise Exception("Security enforcer not generated. Test failed.")
32 return False
33
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]34
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]35class XProtoSecurityTest(unittest.TestCase):
Zack Williams9a42f872019-02-15 17:56:04 -0700[diff] [blame]36 """
37 Use the Python code target to generate Python security policies, set up an
38 appropriate environment and execute the Python.
39 """
40
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]41 def setUp(self):
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]42 self.target = XProtoTestHelpers.write_tmp_target(
43 """
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]44{% for name, policy in proto.policies.items() %}
45{{ xproto_fol_to_python_test(name, policy, None, '0') }}
46{% endfor %}
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]47"""
48 )
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]49
50 def test_constant(self):
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]51 xproto = """
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]52 policy output < True >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]53"""
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]54 args = XOSProcessorArgs(inputs=xproto, target=self.target)
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]55 output = XOSProcessor.process(args)
Zack Williams9a42f872019-02-15 17:56:04 -0700[diff] [blame]56 exec(output, globals()) # This loads the generated function, which should look like this:
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]57
58 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]59 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]60 i1 = True
61 return i1
62 """
63
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]64 verdict = output_security_check({}, {})
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]65 self.assertTrue(verdict)
66
67 def test_equal(self):
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]68 xproto = """
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]69 policy output < ctx.user = obj.user >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]70"""
71
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]72 args = XOSProcessorArgs(inputs=xproto, target=self.target)
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]73 output = XOSProcessor.process(args)
Zack Williams9a42f872019-02-15 17:56:04 -0700[diff] [blame]74 exec(output, globals()) # This loads the generated function, which should look like this:
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]75
76 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]77 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]78 i1 = (ctx.user == obj.user)
79 return i1
80 """
81
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame]82 obj = FakeObject()
83 obj.user = 1
84 ctx = FakeObject()
85 ctx.user = 1
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]86
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]87 verdict = output_security_check(obj, ctx)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]88
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]89 def test_call_policy(self):
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]90 xproto = """
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]91 policy sub_policy < ctx.user = obj.user >
92 policy output < *sub_policy(child) >
93"""
94
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]95 args = XOSProcessorArgs(inputs=xproto, target=self.target)
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]96 output = XOSProcessor.process(args)
Zack Williams9a42f872019-02-15 17:56:04 -0700[diff] [blame]97 exec(output, globals()) # This loads the generated function, which should look like this:
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]98
99 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]100 def sub_policy_security_check(obj, ctx):
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]101 i1 = (ctx.user == obj.user)
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]102 return i1
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]103
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]104 def output_security_check(obj, ctx):
105 if obj.child:
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]106 i1 = sub_policy_security_check(obj.child, ctx)
107 else:
108 i1 = True
109 return i1
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]110 """
111
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame]112 obj = FakeObject()
113 obj.child = FakeObject()
114 obj.child.user = 1
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]115
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame]116 ctx = FakeObject()
117 ctx.user = 1
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]118
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]119 verdict = output_security_check(obj, ctx)
120 self.assertTrue(verdict)
121
122 def test_call_policy_child_none(self):
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]123 xproto = """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]124 policy sub_policy < ctx.user = obj.user >
125 policy output < *sub_policy(child) >
126"""
127
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]128 args = XOSProcessorArgs(inputs=xproto, target=self.target)
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]129 output = XOSProcessor.process(args)
Zack Williams9a42f872019-02-15 17:56:04 -0700[diff] [blame]130 exec(output, globals()) # This loads the generated function, which should look like this:
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]131
132 """
133 def sub_policy_security_check(obj, ctx):
134 i1 = (ctx.user == obj.user)
135 return i1
136
137 def output_security_check(obj, ctx):
138 if obj.child:
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]139 i1 = sub_policy_security_check(obj.child, ctx)
140 else:
141 i1 = True
142 return i1
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]143 """
144
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame]145 obj = FakeObject()
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]146 obj.child = None
147
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame]148 ctx = FakeObject()
149 ctx.user = 1
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]150
Sapan Bhatiac6543dd2017-12-07 11:40:36 -0500[diff] [blame]151 verdict = output_security_check(obj, ctx)
152 self.assertTrue(verdict)
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]153
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]154 def test_bin(self):
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]155 xproto = """
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]156 policy output < ctx.is_admin = True | obj.empty = True>
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]157"""
158
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]159 args = XOSProcessorArgs(inputs=xproto, target=self.target)
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]160 output = XOSProcessor.process(args)
Zack Williams9a42f872019-02-15 17:56:04 -0700[diff] [blame]161 exec(output, globals()) # This loads the generated function, which should look like this:
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]162
163 """
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]164 def output_security_check(obj, ctx):
165 i2 = (ctx.is_admin == True)
166 i3 = (obj.empty == True)
167 i1 = (i2 or i3)
168 return i1
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]169 """
170
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame]171 obj = FakeObject()
172 obj.empty = True
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]173
Scott Baker1f7791d2018-10-04 13:21:20 -0700[diff] [blame]174 ctx = FakeObject()
175 ctx.is_admin = True
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]176
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]177 verdict = output_security_check(obj, ctx)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]178
179 self.assertTrue(verdict)
180
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]181 def test_exists(self):
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]182 xproto = """
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]183 policy output < exists Privilege: Privilege.object_id = obj.id >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]184"""
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]185 args = XOSProcessorArgs(inputs=xproto, target=self.target)
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]186 output = XOSProcessor.process(args)
Zack Williams9a42f872019-02-15 17:56:04 -0700[diff] [blame]187 exec(output, globals()) # This loads the generated function, which should look like this:
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]188
189 """
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]190 def output_security_check(obj, ctx):
191 i1 = Privilege.objects.filter(object_id=obj.id)
192 return i1
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]193 """
194
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]195 self.assertTrue(output_security_check is not None)
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]196
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]197 def test_python(self):
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]198 xproto = """
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]199 policy output < {{ "jack" in ["the", "box"] }} = False >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]200"""
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]201 args = XOSProcessorArgs(inputs=xproto, target=self.target)
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]202 output = XOSProcessor.process(args)
Zack Williams9a42f872019-02-15 17:56:04 -0700[diff] [blame]203 exec(output, globals()) # This loads the generated function, which should look like this:
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]204
205 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]206 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]207 i2 = ('jack' in ['the', 'box'])
208 i1 = (i2 == False)
209 return i1
210 """
211
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]212 self.assertTrue(output_security_check({}, {}) is True)
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]213
214 def test_forall(self):
215 # This one we only parse
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]216 xproto = """
Sapan Bhatiad3fcb662017-07-25 21:13:48 -0400[diff] [blame]217 policy output < forall Credential: Credential.obj_id = obj_id >
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]218"""
219
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]220 args = XOSProcessorArgs(inputs=xproto, target=self.target)
Sapan Bhatiabfb233a2018-02-09 14:53:09 -0800[diff] [blame]221 output = XOSProcessor.process(args)
Zack Williams9a42f872019-02-15 17:56:04 -0700[diff] [blame]222 exec(output, globals())
223
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]224 """
Sapan Bhatiae294aae2017-09-06 11:21:15 -0400[diff] [blame]225 def output_security_check(obj, ctx):
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]226 i2 = Credential.objects.filter((~ Q(obj_id=obj_id)))[0]
227 i1 = (not i2)
228 return i1
229 """
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]230
Zack Williams045b63d2019-01-22 16:30:57 -0700[diff] [blame]231
232if __name__ == "__main__":
Sapan Bhatia3e3c1cd2017-07-15 01:35:44 -0400[diff] [blame]233 unittest.main()