diff options
Diffstat (limited to 'moonv4/moon_interface/tests')
6 files changed, 125 insertions, 9 deletions
diff --git a/moonv4/moon_interface/tests/apitests/populate_default_values.py b/moonv4/moon_interface/tests/apitests/populate_default_values.py index f58a7444..e489a232 100644 --- a/moonv4/moon_interface/tests/apitests/populate_default_values.py +++ b/moonv4/moon_interface/tests/apitests/populate_default_values.py @@ -113,7 +113,7 @@ def create_policy(model_id, meta_rule_list): meta_rule_value = scenario.meta_rule[meta_rule_name] for rule in scenario.rules[meta_rule_name]: _meta_rule = list(meta_rule_value["value"]) - for data_name in rule: + for data_name in rule["rule"]: category_name = _meta_rule.pop(0) if category_name in scenario.subject_categories: data_list.append(scenario.subject_data[category_name][data_name]) @@ -121,7 +121,8 @@ def create_policy(model_id, meta_rule_list): data_list.append(scenario.object_data[category_name][data_name]) elif category_name in scenario.action_categories: data_list.append(scenario.action_data[category_name][data_name]) - add_rule(policy_id, meta_rule_value["id"], data_list) + instructions = rule["instructions"] + add_rule(policy_id, meta_rule_value["id"], data_list, instructions) return policy_id diff --git a/moonv4/moon_interface/tests/apitests/scenario/delegation.py b/moonv4/moon_interface/tests/apitests/scenario/delegation.py new file mode 100644 index 00000000..839e74ce --- /dev/null +++ b/moonv4/moon_interface/tests/apitests/scenario/delegation.py @@ -0,0 +1,40 @@ + +pdp_name = "pdp1" +policy_name = "Delegation policy example" +model_name = "Delegation" + +subjects = {"user0": "", } +objects = {"user1": "", } +actions = {"delegate": ""} + +subject_categories = {"subjectid": "", } +object_categories = {"delegated": "", } +action_categories = {"delegation-action": "", } + +subject_data = {"subjectid": {"user0": ""}} +object_data = {"delegated": {"user1": ""}} +action_data = {"delegation-action": {"delegate": ""}} + +subject_assignments = {"user0": {"subjectid": "user0"}} +object_assignments = {"user1": {"delegated": "user1"}} +action_assignments = {"delegate": {"delegation-action": "delegate"}} + +meta_rule = { + "session": {"id": "", "value": ("subjectid", "delegated", "delegation-action")}, +} + +rules = { + "session": ( + { + "rule": ("user0", "user1", "delegate"), + "instructions": ( + { + "update": {"request:subject": "user1"} # update the current user with "user1" + }, + {"chain": {"security_pipeline": "rbac"}} + ) + }, + ) +} + + diff --git a/moonv4/moon_interface/tests/apitests/scenario/mls.py b/moonv4/moon_interface/tests/apitests/scenario/mls.py index e36a86bc..3a3ded43 100644 --- a/moonv4/moon_interface/tests/apitests/scenario/mls.py +++ b/moonv4/moon_interface/tests/apitests/scenario/mls.py @@ -38,8 +38,17 @@ meta_rule = { rules = { "mls": ( - ("high", "medium", "vm-action"), - ("high", "low", "vm-action"), - ("medium", "low", "vm-action"), + { + "rules": ("high", "medium", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + { + "rules": ("high", "low", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + { + "rules": ("medium", "low", "vm-action"), + "instructions": ({"decision": "grant"}) + }, ) } diff --git a/moonv4/moon_interface/tests/apitests/scenario/rbac.py b/moonv4/moon_interface/tests/apitests/scenario/rbac.py index cd08308e..a43bd1f4 100644 --- a/moonv4/moon_interface/tests/apitests/scenario/rbac.py +++ b/moonv4/moon_interface/tests/apitests/scenario/rbac.py @@ -15,7 +15,7 @@ subject_data = {"role": {"admin": "", "employee": ""}} object_data = {"id": {"vm0": "", "vm1": ""}} action_data = {"action-type": {"vm-action": "", }} -subject_assignments = {"user0": {"role": "admin"}, "user1": {"role": "employee"}, } +subject_assignments = {"user0": {"role": "employee"}, "user1": {"role": "employee"}, } object_assignments = {"vm0": {"id": "vm0"}, "vm1": {"id": "vm1"}} action_assignments = {"start": {"action-type": "vm-action"}, "stop": {"action-type": "vm-action"}} @@ -25,8 +25,18 @@ meta_rule = { rules = { "rbac": ( - ("admin", "vm0", "vm-action"), - ("admin", "vm1", "vm-action"), + { + "rule": ("admin", "vm0", "vm-action"), + "instructions": ( + {"decision": "grant"} # "grant" to immediately exit, "continue" to wait for the result of next policy + ) + }, + { + "rule": ("admin", "vm1", "vm-action"), + "instructions": ( + {"decision": "grant"} + ) + }, ) } diff --git a/moonv4/moon_interface/tests/apitests/scenario/session.py b/moonv4/moon_interface/tests/apitests/scenario/session.py new file mode 100644 index 00000000..6b7e0f18 --- /dev/null +++ b/moonv4/moon_interface/tests/apitests/scenario/session.py @@ -0,0 +1,55 @@ + +pdp_name = "pdp1" +policy_name = "Session policy example" +model_name = "Session" + +subjects = {"user0": "", "user1": "", } +objects = {"admin": "", "employee": "", } +actions = {"activate": "", "deactivate": ""} + +subject_categories = {"subjectid": "", } +object_categories = {"role": "", } +action_categories = {"session-action": "", } + +subject_data = {"subjectid": {"user0": "", "user1": ""}} +object_data = {"role": {"admin": "", "employee": ""}} +action_data = {"session-action": {"activate": "", "deactivate": ""}} + +subject_assignments = {"user0": {"subjectid": "user0"}, "user1": {"subjectid": "user1"}, } +object_assignments = {"admin": {"role": "admin"}, "employee": {"role": "employee"}} +action_assignments = {"activate": {"session-action": "activate"}, "deactivate": {"session-action": "deactivate"}} + +meta_rule = { + "session": {"id": "", "value": ("subjectid", "role", "session-action")}, +} + +rules = { + "session": ( + { + "rule": ("user0", "admin", "activate"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": [{"security_pipeline": "rbac"}]} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user1", "employee", "deactivate"), + "instructions": ( + { + "update": { + "operation": "delete", + "target": "rbac:role:employee" # delete the role employee from the current user + } + }, + {"chain": [{"security_pipeline": "rbac"}]} # chain with the meta_rule named rbac + ) + }, + ) +} + + diff --git a/moonv4/moon_interface/tests/apitests/utils/policies.py b/moonv4/moon_interface/tests/apitests/utils/policies.py index 67be91e5..bf75734f 100644 --- a/moonv4/moon_interface/tests/apitests/utils/policies.py +++ b/moonv4/moon_interface/tests/apitests/utils/policies.py @@ -527,11 +527,12 @@ def delete_action_assignment(policy_id, action_id, action_cat_id, action_data_id assert action_data_id not in result["action_assignments"][key]["assignments"] -def add_rule(policy_id, meta_rule_id, rule): +def add_rule(policy_id, meta_rule_id, rule, instructions={"chain": [{"security_pipeline": "rbac"}]}): req = requests.post(URL.format("/policies/{}/rules".format(policy_id)), json={ "meta_rule_id": meta_rule_id, "rule": rule, + "instructions": instructions, "enabled": True }, headers=HEADERS) |