diff options
Diffstat (limited to 'keystone-moon/keystone')
3 files changed, 109 insertions, 0 deletions
diff --git a/keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh b/keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh new file mode 100644 index 00000000..36afd5a1 --- /dev/null +++ b/keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +# as user admin + +# create authz intraextension +moon intraextension add policy_mls_authz test_authz + +# create admin intraextension +moon intraextension add policy_rbac_admin test_admin + +# create tenant +moon tenant add --authz xxx --admin xxx `demo` + +# check that now moon authorizes the manipulation list_servers +nova list + +# select the authz intraextension +moon intraextension select `test_authz_uuid` + +# del object assignment for servers +moon object assignment del `servers_uuid` `object_security_level_uuid` `low_uuid` + +# add object assignment for servers +moon object assignment add `servers_uuid` `object_security_level_uuid` `high_uuid` + +# check now moon block the manipulation list_servers +nova list + +# del object assignment for servers +moon object assignment del `servers_uuid` `object_security_level_uuid` `high_uuid` + +# add object assignment for servers +moon object assignment add `servers_uuid` `object_security_level_uuid` `low_uuid`
\ No newline at end of file diff --git a/keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh b/keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh new file mode 100644 index 00000000..f2c0e4fc --- /dev/null +++ b/keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +# as user admin + +# create authz intraextension +moon intraextension add policy_mls_authz test_authz + +# create admin intraextension +moon intraextension add policy_rbac_admin test_admin + +# create tenant +moon tenant add --authz xxx --admin xxx demo + +# select the authz tenant +moon intraextension select `test_authz_uuid` + +# create a VM (vm1) in OpenStack +nova create vm1..... + +# add corresponding object in moon +moon object add vm1 + +# check that moon blocks the vm1 manipulatin +nova vm1 suspend .... + +# add object assignment for vm1 +moon object assignment `vm1_uuid` `object_security_level_uuid` `high_uuid` + +# check now moon block the manipulation of vm1 +nova vm1 suspend .... + +# del object assignment for servers +moon object assignment del `vm1_uuid` `object_security_level_uuid` `high_uuid` + +# add object assignment for servers +moon object assignment add `vm1_uuid` `object_security_level_uuid` `low_uuid` + +# check now moon unblock the manipulation of vm1 +nova vm1 suspend ....
\ No newline at end of file diff --git a/keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh b/keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh new file mode 100644 index 00000000..bf4bd3c8 --- /dev/null +++ b/keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash + +# as user demo +. openrc demo + +# create authz intraextension +moon intraextension add policy_mls_authz test_authz + +# create admin intraextension +moon intraextension add policy_rbac_admin test_admin + +# create tenant +moon tenant add --authz xxx --admin xxx demo + +# select the authz tenant +moon intraextension select `test_authz_uuid` + +# check that moon blocks modification of object assignments +moon object assignment add `vm1_uuid` `object_security_level_uuid` `high_uuid` + +# as user admin +. openrc admin + +# select the admin intraextension +moon intraextension select `test_admin_uuid` + +# add write permission to the dev_role user for assignment table +moon rule add `rbac_rule_uuid` [`dev_role_uuid`, `write_uuid`, `authz.assignment`] + +# as user demo +. openrc demo + +# select the authz intraextension +moon intraextension select `test_authz_uuid` + +# check that moon authorizes modification of rule table by demo +moon object assignment add `vm1_uuid` `object_security_level_uuid` `high_uuid` |