aboutsummaryrefslogtreecommitdiffstats
path: root/moonv4/moon_interface
diff options
context:
space:
mode:
Diffstat (limited to 'moonv4/moon_interface')
-rw-r--r--moonv4/moon_interface/moon_interface/api/rules.py25
-rw-r--r--moonv4/moon_interface/tests/apitests/populate_default_values.py61
-rw-r--r--moonv4/moon_interface/tests/apitests/scenario/rbac.py19
-rw-r--r--moonv4/moon_interface/tests/apitests/scenario/session.py23
-rw-r--r--moonv4/moon_interface/tests/apitests/set_authz.py13
-rw-r--r--moonv4/moon_interface/tests/apitests/utils/policies.py3
6 files changed, 102 insertions, 42 deletions
diff --git a/moonv4/moon_interface/moon_interface/api/rules.py b/moonv4/moon_interface/moon_interface/api/rules.py
index 81639a37..7757d275 100644
--- a/moonv4/moon_interface/moon_interface/api/rules.py
+++ b/moonv4/moon_interface/moon_interface/api/rules.py
@@ -62,13 +62,34 @@ class Rules(Resource):
:request body: post = {
"meta_rule_id": "meta_rule_id1",
"rule": ["subject_data_id2", "object_data_id2", "action_data_id2"],
+ "instructions": (
+ {"decision": "grant"},
+ )
"enabled": True
}
:return: {
"rules": [
"meta_rule_id": "meta_rule_id1",
- "rule_id1": ["subject_data_id1", "object_data_id1", "action_data_id1"],
- "rule_id2": ["subject_data_id2", "object_data_id2", "action_data_id2"],
+ "rule_id1": {
+ "rule": ["subject_data_id1", "object_data_id1", "action_data_id1"],
+ "instructions": (
+ {"decision": "grant"}, # "grant" to immediately exit,
+ # "continue" to wait for the result of next policy
+ # "deny" to deny the request
+ )
+ }
+ "rule_id2": {
+ "rule": ["subject_data_id2", "object_data_id2", "action_data_id2"],
+ "instructions": (
+ {
+ "update": {
+ "operation": "add", # operations may be "add" or "delete"
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the policy named rbac
+ )
+ }
]
}
:internal_api: add_rule
diff --git a/moonv4/moon_interface/tests/apitests/populate_default_values.py b/moonv4/moon_interface/tests/apitests/populate_default_values.py
index 5ad6098f..0e3438db 100644
--- a/moonv4/moon_interface/tests/apitests/populate_default_values.py
+++ b/moonv4/moon_interface/tests/apitests/populate_default_values.py
@@ -56,7 +56,7 @@ def create_model():
def create_policy(model_id, meta_rule_list):
if args.verbose:
logger.warning("Creating policy {}".format(scenario.policy_name))
- policy_id = add_policy(name=scenario.policy_name)
+ policy_id = add_policy(name=scenario.policy_name, genre=scenario.policy_genre)
update_policy(policy_id, model_id)
@@ -90,23 +90,52 @@ def create_policy(model_id, meta_rule_list):
scenario.actions[name] = add_action(policy_id, name=name)
for subject_name in scenario.subject_assignments:
- for subject_category_name in scenario.subject_assignments[subject_name]:
- subject_id = scenario.subjects[subject_name]
- subject_cat_id = scenario.subject_categories[subject_category_name]
- subject_data_id = scenario.subject_data[subject_category_name][scenario.subject_assignments[subject_name][subject_category_name]]
- add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id)
+ if type(scenario.subject_assignments[subject_name]) in (list, tuple):
+ for items in scenario.subject_assignments[subject_name]:
+ for subject_category_name in items:
+ subject_id = scenario.subjects[subject_name]
+ subject_cat_id = scenario.subject_categories[subject_category_name]
+ for data in scenario.subject_assignments[subject_name]:
+ subject_data_id = scenario.subject_data[subject_category_name][data[subject_category_name]]
+ add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id)
+ else:
+ for subject_category_name in scenario.subject_assignments[subject_name]:
+ subject_id = scenario.subjects[subject_name]
+ subject_cat_id = scenario.subject_categories[subject_category_name]
+ subject_data_id = scenario.subject_data[subject_category_name][scenario.subject_assignments[subject_name][subject_category_name]]
+ add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id)
+
for object_name in scenario.object_assignments:
- for object_category_name in scenario.object_assignments[object_name]:
- object_id = scenario.objects[object_name]
- object_cat_id = scenario.object_categories[object_category_name]
- object_data_id = scenario.object_data[object_category_name][scenario.object_assignments[object_name][object_category_name]]
- add_object_assignments(policy_id, object_id, object_cat_id, object_data_id)
+ if type(scenario.object_assignments[object_name]) in (list, tuple):
+ for items in scenario.object_assignments[object_name]:
+ for object_category_name in items:
+ object_id = scenario.objects[object_name]
+ object_cat_id = scenario.object_categories[object_category_name]
+ for data in scenario.object_assignments[object_name]:
+ object_data_id = scenario.object_data[object_category_name][data[object_category_name]]
+ add_object_assignments(policy_id, object_id, object_cat_id, object_data_id)
+ else:
+ for object_category_name in scenario.object_assignments[object_name]:
+ object_id = scenario.objects[object_name]
+ object_cat_id = scenario.object_categories[object_category_name]
+ object_data_id = scenario.object_data[object_category_name][scenario.object_assignments[object_name][object_category_name]]
+ add_object_assignments(policy_id, object_id, object_cat_id, object_data_id)
+
for action_name in scenario.action_assignments:
- for action_category_name in scenario.action_assignments[action_name]:
- action_id = scenario.actions[action_name]
- action_cat_id = scenario.action_categories[action_category_name]
- action_data_id = scenario.action_data[action_category_name][scenario.action_assignments[action_name][action_category_name]]
- add_action_assignments(policy_id, action_id, action_cat_id, action_data_id)
+ if type(scenario.action_assignments[action_name]) in (list, tuple):
+ for items in scenario.action_assignments[action_name]:
+ for action_category_name in items:
+ action_id = scenario.actions[action_name]
+ action_cat_id = scenario.action_categories[action_category_name]
+ for data in scenario.action_assignments[action_name]:
+ action_data_id = scenario.action_data[action_category_name][data[action_category_name]]
+ add_action_assignments(policy_id, action_id, action_cat_id, action_data_id)
+ else:
+ for action_category_name in scenario.action_assignments[action_name]:
+ action_id = scenario.actions[action_name]
+ action_cat_id = scenario.action_categories[action_category_name]
+ action_data_id = scenario.action_data[action_category_name][scenario.action_assignments[action_name][action_category_name]]
+ add_action_assignments(policy_id, action_id, action_cat_id, action_data_id)
for meta_rule_name in scenario.rules:
meta_rule_value = scenario.meta_rule[meta_rule_name]
diff --git a/moonv4/moon_interface/tests/apitests/scenario/rbac.py b/moonv4/moon_interface/tests/apitests/scenario/rbac.py
index a43bd1f4..89fd7de8 100644
--- a/moonv4/moon_interface/tests/apitests/scenario/rbac.py
+++ b/moonv4/moon_interface/tests/apitests/scenario/rbac.py
@@ -2,6 +2,7 @@
pdp_name = "pdp1"
policy_name = "RBAC policy example"
model_name = "RBAC"
+policy_genre = "authz"
subjects = {"user0": "", "user1": "", }
objects = {"vm0": "", "vm1": "", }
@@ -11,13 +12,13 @@ subject_categories = {"role": "", }
object_categories = {"id": "", }
action_categories = {"action-type": "", }
-subject_data = {"role": {"admin": "", "employee": ""}}
-object_data = {"id": {"vm0": "", "vm1": ""}}
-action_data = {"action-type": {"vm-action": "", }}
+subject_data = {"role": {"admin": "", "employee": "", "*": ""}}
+object_data = {"id": {"vm0": "", "vm1": "", "*": ""}}
+action_data = {"action-type": {"vm-action": "", "*": ""}}
-subject_assignments = {"user0": {"role": "employee"}, "user1": {"role": "employee"}, }
-object_assignments = {"vm0": {"id": "vm0"}, "vm1": {"id": "vm1"}}
-action_assignments = {"start": {"action-type": "vm-action"}, "stop": {"action-type": "vm-action"}}
+subject_assignments = {"user0": ({"role": "employee"}, {"role": "*"}), "user1": ({"role": "employee"}, {"role": "*"}), }
+object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})}
+action_assignments = {"start": ({"action-type": "vm-action"}, {"action-type": "*"}), "stop": ({"action-type": "vm-action"}, {"action-type": "*"})}
meta_rule = {
"rbac": {"id": "", "value": ("role", "id", "action-type")},
@@ -28,13 +29,13 @@ rules = {
{
"rule": ("admin", "vm0", "vm-action"),
"instructions": (
- {"decision": "grant"} # "grant" to immediately exit, "continue" to wait for the result of next policy
+ {"decision": "grant"}, # "grant" to immediately exit, "continue" to wait for the result of next policy
)
},
{
- "rule": ("admin", "vm1", "vm-action"),
+ "rule": ("employee", "vm1", "vm-action"),
"instructions": (
- {"decision": "grant"}
+ {"decision": "grant"},
)
},
)
diff --git a/moonv4/moon_interface/tests/apitests/scenario/session.py b/moonv4/moon_interface/tests/apitests/scenario/session.py
index 6b7e0f18..97d7aec3 100644
--- a/moonv4/moon_interface/tests/apitests/scenario/session.py
+++ b/moonv4/moon_interface/tests/apitests/scenario/session.py
@@ -2,6 +2,7 @@
pdp_name = "pdp1"
policy_name = "Session policy example"
model_name = "Session"
+policy_genre = "session"
subjects = {"user0": "", "user1": "", }
objects = {"admin": "", "employee": "", }
@@ -12,12 +13,16 @@ object_categories = {"role": "", }
action_categories = {"session-action": "", }
subject_data = {"subjectid": {"user0": "", "user1": ""}}
-object_data = {"role": {"admin": "", "employee": ""}}
-action_data = {"session-action": {"activate": "", "deactivate": ""}}
+object_data = {"role": {"admin": "", "employee": "", "*": ""}}
+action_data = {"session-action": {"activate": "", "deactivate": "", "*": ""}}
-subject_assignments = {"user0": {"subjectid": "user0"}, "user1": {"subjectid": "user1"}, }
-object_assignments = {"admin": {"role": "admin"}, "employee": {"role": "employee"}}
-action_assignments = {"activate": {"session-action": "activate"}, "deactivate": {"session-action": "deactivate"}}
+subject_assignments = {"user0": ({"subjectid": "user0"}, ), "user1": ({"subjectid": "user1"}, ), }
+object_assignments = {"admin": ({"role": "admin"}, {"role": "*"}),
+ "employee": ({"role": "employee"}, {"role": "employee"})
+ }
+action_assignments = {"activate": ({"session-action": "activate"}, {"session-action": "*"}, ),
+ "deactivate": ({"session-action": "deactivate"}, {"session-action": "*"}, )
+ }
meta_rule = {
"session": {"id": "", "value": ("subjectid", "role", "session-action")},
@@ -26,7 +31,7 @@ meta_rule = {
rules = {
"session": (
{
- "rule": ("user0", "admin", "activate"),
+ "rule": ("user0", "employee", "*"),
"instructions": (
{
"update": {
@@ -34,11 +39,11 @@ rules = {
"target": "rbac:role:admin" # add the role admin to the current user
}
},
- {"chain": [{"security_pipeline": "rbac"}]} # chain with the meta_rule named rbac
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
)
},
{
- "rule": ("user1", "employee", "deactivate"),
+ "rule": ("user1", "employee", "*"),
"instructions": (
{
"update": {
@@ -46,7 +51,7 @@ rules = {
"target": "rbac:role:employee" # delete the role employee from the current user
}
},
- {"chain": [{"security_pipeline": "rbac"}]} # chain with the meta_rule named rbac
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
)
},
)
diff --git a/moonv4/moon_interface/tests/apitests/set_authz.py b/moonv4/moon_interface/tests/apitests/set_authz.py
index 38b63509..f515e4eb 100644
--- a/moonv4/moon_interface/tests/apitests/set_authz.py
+++ b/moonv4/moon_interface/tests/apitests/set_authz.py
@@ -41,10 +41,13 @@ for rule in rules:
url = "http://172.18.0.11:38001/authz/{}/{}".format(keystone_project_id, "/".join(rule))
req = requests.get(url)
print("\033[1m{}\033[m {}".format(url, req.status_code))
- j = req.json()
- # print(j)
- if j.get("authz"):
- print("\t\033[32m{}\033[m {}".format(j.get("authz"), j.get("error", "")))
+ try:
+ j = req.json()
+ except Exception as e:
+ print(req.text)
else:
- print("\t\033[31m{}\033[m {}".format(j.get("authz"), j.get("error", "")))
+ if j.get("authz"):
+ print("\t\033[32m{}\033[m {}".format(j.get("authz"), j.get("error", "")))
+ else:
+ print("\t\033[31m{}\033[m {}".format(j.get("authz"), j.get("error", "")))
diff --git a/moonv4/moon_interface/tests/apitests/utils/policies.py b/moonv4/moon_interface/tests/apitests/utils/policies.py
index bf75734f..969ab70b 100644
--- a/moonv4/moon_interface/tests/apitests/utils/policies.py
+++ b/moonv4/moon_interface/tests/apitests/utils/policies.py
@@ -63,8 +63,9 @@ def check_policy(policy_id=None):
assert policy_template["name"] == result['policies'][policy_id]["name"]
-def add_policy(name="test_policy"):
+def add_policy(name="test_policy", genre="authz"):
policy_template["name"] = name
+ policy_template["genre"] = genre
req = requests.post(URL.format("/policies"), json=policy_template, headers=HEADERS)
assert req.status_code == 200
result = req.json()