aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/keystone')
-rw-r--r--keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh33
-rw-r--r--keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh39
-rw-r--r--keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh37
3 files changed, 109 insertions, 0 deletions
diff --git a/keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh b/keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh
new file mode 100644
index 00000000..36afd5a1
--- /dev/null
+++ b/keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# as user admin
+
+# create authz intraextension
+moon intraextension add policy_mls_authz test_authz
+
+# create admin intraextension
+moon intraextension add policy_rbac_admin test_admin
+
+# create tenant
+moon tenant add --authz xxx --admin xxx `demo`
+
+# check that now moon authorizes the manipulation list_servers
+nova list
+
+# select the authz intraextension
+moon intraextension select `test_authz_uuid`
+
+# del object assignment for servers
+moon object assignment del `servers_uuid` `object_security_level_uuid` `low_uuid`
+
+# add object assignment for servers
+moon object assignment add `servers_uuid` `object_security_level_uuid` `high_uuid`
+
+# check now moon block the manipulation list_servers
+nova list
+
+# del object assignment for servers
+moon object assignment del `servers_uuid` `object_security_level_uuid` `high_uuid`
+
+# add object assignment for servers
+moon object assignment add `servers_uuid` `object_security_level_uuid` `low_uuid` \ No newline at end of file
diff --git a/keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh b/keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh
new file mode 100644
index 00000000..f2c0e4fc
--- /dev/null
+++ b/keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+# as user admin
+
+# create authz intraextension
+moon intraextension add policy_mls_authz test_authz
+
+# create admin intraextension
+moon intraextension add policy_rbac_admin test_admin
+
+# create tenant
+moon tenant add --authz xxx --admin xxx demo
+
+# select the authz tenant
+moon intraextension select `test_authz_uuid`
+
+# create a VM (vm1) in OpenStack
+nova create vm1.....
+
+# add corresponding object in moon
+moon object add vm1
+
+# check that moon blocks the vm1 manipulatin
+nova vm1 suspend ....
+
+# add object assignment for vm1
+moon object assignment `vm1_uuid` `object_security_level_uuid` `high_uuid`
+
+# check now moon block the manipulation of vm1
+nova vm1 suspend ....
+
+# del object assignment for servers
+moon object assignment del `vm1_uuid` `object_security_level_uuid` `high_uuid`
+
+# add object assignment for servers
+moon object assignment add `vm1_uuid` `object_security_level_uuid` `low_uuid`
+
+# check now moon unblock the manipulation of vm1
+nova vm1 suspend .... \ No newline at end of file
diff --git a/keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh b/keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh
new file mode 100644
index 00000000..bf4bd3c8
--- /dev/null
+++ b/keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# as user demo
+. openrc demo
+
+# create authz intraextension
+moon intraextension add policy_mls_authz test_authz
+
+# create admin intraextension
+moon intraextension add policy_rbac_admin test_admin
+
+# create tenant
+moon tenant add --authz xxx --admin xxx demo
+
+# select the authz tenant
+moon intraextension select `test_authz_uuid`
+
+# check that moon blocks modification of object assignments
+moon object assignment add `vm1_uuid` `object_security_level_uuid` `high_uuid`
+
+# as user admin
+. openrc admin
+
+# select the admin intraextension
+moon intraextension select `test_admin_uuid`
+
+# add write permission to the dev_role user for assignment table
+moon rule add `rbac_rule_uuid` [`dev_role_uuid`, `write_uuid`, `authz.assignment`]
+
+# as user demo
+. openrc demo
+
+# select the authz intraextension
+moon intraextension select `test_authz_uuid`
+
+# check that moon authorizes modification of rule table by demo
+moon object assignment add `vm1_uuid` `object_security_level_uuid` `high_uuid`