create scenario test

Change-Id: Id392d900583a31fb53a9da5bcb0c47746f34491a Signed-off-by: WuKong <rebirthmonkey@gmail.com>
author: WuKong <rebirthmonkey@gmail.com> 2015-10-12 14:29:11 +0200
committer: WuKong <rebirthmonkey@gmail.com> 2015-10-12 14:29:11 +0200
commit: a363067a1bdf411c28032b926b451fc9d0964dc6 (patch)
tree: b663db364a162232602210da11df567d286296ac /keystone-moon
parent: 43da0e268fd88c05e49a3d949e3685a13fa43926 (diff)
15 files changed, 268 insertions, 4 deletions
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json b/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json
new file mode 100644
index 00000000..0712dfbc
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json
@@ -0,0 +1,29 @@
+{
+    "subject_assignments": {
+        "subject_security_level":{
+			"admin": ["high"],
+			"demo": ["medium"]
+        }
+	},
+
+    "action_assignments": {
+        "resource_action":{
+			"pause": ["vm_admin"],
+			"unpause": ["vm_admin"],
+			"start": ["vm_admin"],
+			"stop": ["vm_admin"],
+			"list": ["vm_access", "vm_admin"],
+			"create": ["vm_admin"],
+			"storage_list": ["storage_access"],
+			"download": ["storage_access"],
+			"post": ["storage_admin"],
+			"upload": ["storage_admin"]
+        }
+	},
+
+    "object_assignments": {
+        "object_security_level": {
+            "servers": ["low"]
+        }
+    }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json b/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json
new file mode 100644
index 00000000..c419c815
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json
@@ -0,0 +1,18 @@
+{
+    "name": "MLS_Policy",
+    "model": "MLS",
+    "genre": "authz",
+    "description": "Multi Level Security Policy",
+
+    "subject_categories": [
+        "subject_security_level"
+    ],
+
+    "action_categories": [
+        "resource_action"
+    ],
+
+    "object_categories": [
+        "object_security_level"
+    ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json b/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json
new file mode 100644
index 00000000..e068927c
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json
@@ -0,0 +1,12 @@
+{
+    "sub_meta_rules": {
+		"mls_rule": {
+			"subject_categories": ["subject_security_level"],
+			"action_categories": ["resource_action"],
+			"object_categories": ["object_security_level"],
+			"algorithm": "inclusion"
+		}
+	},
+	"aggregation": "all_true"
+}
+
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json b/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json
new file mode 100644
index 00000000..47a8ee45
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json
@@ -0,0 +1,21 @@
+{
+    "subjects": [
+        "admin",
+        "demo"
+    ],
+    "actions": [
+        "pause",
+        "unpause",
+        "start",
+        "stop",
+        "create",
+        "list",
+        "upload",
+        "download",
+        "post",
+        "storage_list"
+    ],
+    "objects": [
+        "servers"
+    ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/rule.json b/keystone-moon/examples/moon/policies/policy_mls_authz/rule.json
new file mode 100644
index 00000000..b17dc822
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/rule.json
@@ -0,0 +1,16 @@
+{
+	"mls_rule":[
+		["high", "vm_admin", "medium"],
+		["high", "vm_admin", "low"],
+		["medium", "vm_admin", "low"],
+		["high", "vm_access", "medium"],
+		["high", "vm_access", "low"],
+		["medium", "vm_access", "low"],
+	  	["high", "storage_admin", "medium"],
+		["high", "storage_admin", "low"],
+		["medium", "storage_admin", "low"],
+		["high", "storage_access", "medium"],
+		["high", "storage_access", "low"],
+		["medium", "storage_access", "low"]
+	]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json b/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json
new file mode 100644
index 00000000..6cc1c28e
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json
@@ -0,0 +1,26 @@
+{
+  "subject_scopes": {
+    "subject_security_level": [
+      "high",
+      "medium",
+      "low"
+    ]
+  },
+
+  "action_scopes": {
+    "resource_action": [
+      "vm_admin",
+      "vm_access",
+      "storage_admin",
+      "storage_access"
+    ]
+  },
+
+  "object_scopes": {
+    "object_security_level": [
+      "high",
+      "medium",
+      "low"
+      ]
+  }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json
index 2c339a39..ed1950b0 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/assignment.json
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json
@@ -1,7 +1,8 @@
 {
     "subject_assignments": {
         "role": {
-			"admin": ["root_role"]
+			"admin": ["root_role"],
+            "demo": ["dev"]
 		}
     },
     "action_assignments": {
diff --git a/keystone-moon/examples/moon/policies/policy_admin/metadata.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json
index 9ee8a11d..9ee8a11d 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/metadata.json
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json
diff --git a/keystone-moon/examples/moon/policies/policy_admin/metarule.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json
index 86dbfad2..86dbfad2 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/metarule.json
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json
diff --git a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json
index 3fe71bb5..1155533e 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json
@@ -1,6 +1,7 @@
 {
     "subjects": [
-        "admin"
+        "admin",
+        "demo"
     ],
     "actions": [
         "read",
diff --git a/keystone-moon/examples/moon/policies/policy_admin/rule.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/rule.json
index 020dac41..c89ceff3 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/rule.json
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/rule.json
@@ -59,6 +59,36 @@
     ["root_role" , "write", "admin.action_assignments"],
     ["root_role" , "write", "admin.aggregation_algorithm"],
     ["root_role" , "write", "admin.sub_meta_rules"],    
-    ["root_role" , "write", "admin.rules"]
+    ["root_role" , "write", "admin.rules"],
+    ["dev_role" , "read", "authz.subjects"],
+    ["dev_role" , "read", "authz.objects"],
+    ["dev_role" , "read", "authz.actions"],
+    ["dev_role" , "read", "authz.subject_categories"],
+    ["dev_role" , "read", "authz.object_categories"],
+    ["dev_role" , "read", "authz.action_categories"],
+    ["dev_role" , "read", "authz.subject_scopes"],
+    ["dev_role" , "read", "authz.object_scopes"],
+    ["dev_role" , "read", "authz.action_scopes"],
+    ["dev_role" , "read", "authz.subject_assignments"],
+    ["dev_role" , "read", "authz.object_assignments"],
+    ["dev_role" , "read", "authz.action_assignments"],
+    ["dev_role" , "read", "authz.aggregation_algorithm"],
+    ["dev_role" , "read", "authz.sub_meta_rules"],
+    ["dev_role" , "read", "authz.rules"],
+    ["dev_role" , "read", "admin.subjects"],
+    ["dev_role" , "read", "admin.objects"],
+    ["dev_role" , "read", "admin.actions"],
+    ["dev_role" , "read", "admin.subject_categories"],
+    ["dev_role" , "read", "admin.object_categories"],
+    ["dev_role" , "read", "admin.action_categories"],
+    ["dev_role" , "read", "admin.subject_scopes"],
+    ["dev_role" , "read", "admin.object_scopes"],
+    ["dev_role" , "read", "admin.action_scopes"],
+    ["dev_role" , "read", "admin.subject_assignments"],
+    ["dev_role" , "read", "admin.object_assignments"],
+    ["dev_role" , "read", "admin.action_assignments"],
+    ["dev_role" , "read", "admin.aggregation_algorithm"],
+    ["dev_role" , "read", "admin.sub_meta_rules"],
+    ["dev_role" , "read", "admin.rules"]
   ]
 }
diff --git a/keystone-moon/examples/moon/policies/policy_admin/scope.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json
index c8b4908a..149056a6 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/scope.json
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json
@@ -1,7 +1,8 @@
 {
     "subject_scopes": {
         "role": [
-            "root_role"
+            "root_role",
+            "dev_role"
         ]
     },
     "action_scopes": {
diff --git a/keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh b/keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh
new file mode 100644
index 00000000..36afd5a1
--- /dev/null
+++ b/keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# as user admin
+
+# create authz intraextension
+moon intraextension add policy_mls_authz test_authz
+
+# create admin intraextension
+moon intraextension add policy_rbac_admin test_admin
+
+# create tenant
+moon tenant add --authz xxx --admin xxx `demo`
+
+# check that now moon authorizes the manipulation list_servers
+nova list
+
+# select the authz intraextension
+moon intraextension select `test_authz_uuid`
+
+# del object assignment for servers
+moon object assignment del `servers_uuid` `object_security_level_uuid` `low_uuid`
+
+# add object assignment for servers
+moon object assignment add `servers_uuid` `object_security_level_uuid` `high_uuid`
+
+# check now moon block the manipulation list_servers
+nova list
+
+# del object assignment for servers
+moon object assignment del `servers_uuid` `object_security_level_uuid` `high_uuid`
+
+# add object assignment for servers
+moon object assignment add `servers_uuid` `object_security_level_uuid` `low_uuid`
+\ No newline at end of file
diff --git a/keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh b/keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh
new file mode 100644
index 00000000..f2c0e4fc
--- /dev/null
+++ b/keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+# as user admin
+
+# create authz intraextension
+moon intraextension add policy_mls_authz test_authz
+
+# create admin intraextension
+moon intraextension add policy_rbac_admin test_admin
+
+# create tenant
+moon tenant add --authz xxx --admin xxx demo
+
+# select the authz tenant
+moon intraextension select `test_authz_uuid`
+
+# create a VM (vm1) in OpenStack
+nova create vm1.....
+
+# add corresponding object in moon
+moon object add vm1
+
+# check that moon blocks the vm1 manipulatin
+nova vm1 suspend ....
+
+# add object assignment for vm1
+moon object assignment `vm1_uuid` `object_security_level_uuid` `high_uuid`
+
+# check now moon block the manipulation of vm1
+nova vm1 suspend ....
+
+# del object assignment for servers
+moon object assignment del `vm1_uuid` `object_security_level_uuid` `high_uuid`
+
+# add object assignment for servers
+moon object assignment add `vm1_uuid` `object_security_level_uuid` `low_uuid`
+
+# check now moon unblock the manipulation of vm1
+nova vm1 suspend ....
+\ No newline at end of file
diff --git a/keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh b/keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh
new file mode 100644
index 00000000..bf4bd3c8
--- /dev/null
+++ b/keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# as user demo
+. openrc demo
+
+# create authz intraextension
+moon intraextension add policy_mls_authz test_authz
+
+# create admin intraextension
+moon intraextension add policy_rbac_admin test_admin
+
+# create tenant
+moon tenant add --authz xxx --admin xxx demo
+
+# select the authz tenant
+moon intraextension select `test_authz_uuid`
+
+# check that moon blocks modification of object assignments
+moon object assignment add `vm1_uuid` `object_security_level_uuid` `high_uuid`
+
+# as user admin
+. openrc admin
+
+# select the admin intraextension
+moon intraextension select `test_admin_uuid`
+
+# add write permission to the dev_role user for assignment table
+moon rule add `rbac_rule_uuid` [`dev_role_uuid`, `write_uuid`, `authz.assignment`]
+
+# as user demo
+. openrc demo
+
+# select the authz intraextension
+moon intraextension select `test_authz_uuid`
+
+# check that moon authorizes modification of rule table by demo
+moon object assignment add `vm1_uuid` `object_security_level_uuid` `high_uuid`
author	WuKong <rebirthmonkey@gmail.com>	2015-10-12 14:29:11 +0200
committer	WuKong <rebirthmonkey@gmail.com>	2015-10-12 14:29:11 +0200
commit	a363067a1bdf411c28032b926b451fc9d0964dc6 (patch)
tree	b663db364a162232602210da11df567d286296ac /keystone-moon
parent	43da0e268fd88c05e49a3d949e3685a13fa43926 (diff)