aboutsummaryrefslogtreecommitdiffstats
path: root/tests/functional
diff options
context:
space:
mode:
Diffstat (limited to 'tests/functional')
-rw-r--r--tests/functional/get_keystone_projects.py16
-rw-r--r--tests/functional/populate_default_values.py37
-rw-r--r--tests/functional/scenario/delegation.py40
-rw-r--r--tests/functional/scenario/mls.py54
-rw-r--r--tests/functional/scenario/rbac.py44
-rw-r--r--tests/functional/scenario/rbac_custom_100.py89
-rw-r--r--tests/functional/scenario/rbac_custom_1000.py89
-rw-r--r--tests/functional/scenario/rbac_custom_50.py89
-rw-r--r--tests/functional/scenario/rbac_large.py233
-rw-r--r--tests/functional/scenario/rbac_mls.py50
-rw-r--r--tests/functional/scenario/session.py60
-rw-r--r--tests/functional/scenario/session_large.py389
-rw-r--r--tests/functional/send_authz.py32
13 files changed, 1222 insertions, 0 deletions
diff --git a/tests/functional/get_keystone_projects.py b/tests/functional/get_keystone_projects.py
new file mode 100644
index 00000000..9b5d87cd
--- /dev/null
+++ b/tests/functional/get_keystone_projects.py
@@ -0,0 +1,16 @@
+from python_moonclient import parse, models, policies, pdp
+
+
+if __name__ == "__main__":
+ args = parse.parse()
+ consul_host = args.consul_host
+ consul_port = args.consul_port
+
+ models.init(consul_host, consul_port)
+ policies.init(consul_host, consul_port)
+ pdp.init(consul_host, consul_port)
+
+ projects = pdp.get_keystone_projects()
+
+ for _project in projects['projects']:
+ print("{} {}".format(_project['id'], _project['name']))
diff --git a/tests/functional/populate_default_values.py b/tests/functional/populate_default_values.py
new file mode 100644
index 00000000..d5a5769b
--- /dev/null
+++ b/tests/functional/populate_default_values.py
@@ -0,0 +1,37 @@
+import logging
+from importlib.machinery import SourceFileLoader
+from python_moonclient import parse, models, policies, pdp
+
+logger = logging.getLogger("moonforming")
+
+
+if __name__ == "__main__":
+ requests_log = logging.getLogger("requests.packages.urllib3")
+ requests_log.setLevel(logging.WARNING)
+ requests_log.propagate = True
+
+ args = parse.parse()
+ consul_host = args.consul_host
+ consul_port = args.consul_port
+ project_id = args.keystone_pid
+
+ models.init(consul_host, consul_port)
+ policies.init(consul_host, consul_port)
+ pdp.init(consul_host, consul_port)
+
+ if args.filename:
+ print("Loading: {}".format(args.filename[0]))
+ m = SourceFileLoader("scenario", args.filename[0])
+ scenario = m.load_module()
+
+ _models = models.check_model()
+ for _model_id, _model_value in _models['models'].items():
+ if _model_value['name'] == scenario.model_name:
+ model_id = _model_id
+ meta_rule_list = _model_value['meta_rules']
+ models.create_model(scenario, model_id)
+ break
+ else:
+ model_id, meta_rule_list = models.create_model(scenario)
+ policy_id = policies.create_policy(scenario, model_id, meta_rule_list)
+ pdp_id = pdp.create_pdp(scenario, policy_id=policy_id, project_id=project_id)
diff --git a/tests/functional/scenario/delegation.py b/tests/functional/scenario/delegation.py
new file mode 100644
index 00000000..839e74ce
--- /dev/null
+++ b/tests/functional/scenario/delegation.py
@@ -0,0 +1,40 @@
+
+pdp_name = "pdp1"
+policy_name = "Delegation policy example"
+model_name = "Delegation"
+
+subjects = {"user0": "", }
+objects = {"user1": "", }
+actions = {"delegate": ""}
+
+subject_categories = {"subjectid": "", }
+object_categories = {"delegated": "", }
+action_categories = {"delegation-action": "", }
+
+subject_data = {"subjectid": {"user0": ""}}
+object_data = {"delegated": {"user1": ""}}
+action_data = {"delegation-action": {"delegate": ""}}
+
+subject_assignments = {"user0": {"subjectid": "user0"}}
+object_assignments = {"user1": {"delegated": "user1"}}
+action_assignments = {"delegate": {"delegation-action": "delegate"}}
+
+meta_rule = {
+ "session": {"id": "", "value": ("subjectid", "delegated", "delegation-action")},
+}
+
+rules = {
+ "session": (
+ {
+ "rule": ("user0", "user1", "delegate"),
+ "instructions": (
+ {
+ "update": {"request:subject": "user1"} # update the current user with "user1"
+ },
+ {"chain": {"security_pipeline": "rbac"}}
+ )
+ },
+ )
+}
+
+
diff --git a/tests/functional/scenario/mls.py b/tests/functional/scenario/mls.py
new file mode 100644
index 00000000..3a3ded43
--- /dev/null
+++ b/tests/functional/scenario/mls.py
@@ -0,0 +1,54 @@
+
+pdp_name = "pdp1"
+policy_name = "MLS Policy example"
+model_name = "MLS"
+
+subjects = {"user0": "", "user1": "", "user2": "", }
+objects = {"vm0": "", "vm1": "", }
+actions = {"start": "", "stop": ""}
+
+subject_categories = {"subject-security-level": "", }
+object_categories = {"object-security-level": "", }
+action_categories = {"action-type": "", }
+
+subject_data = {
+ "subject-security-level": {"low": "", "medium": "", "high": ""},
+}
+object_data = {
+ "object-security-level": {"low": "", "medium": "", "high": ""},
+}
+action_data = {"action-type": {"vm-action": "", "storage-action": "", }}
+
+subject_assignments = {
+ "user0": {"subject-security-level": "high"},
+ "user1": {"subject-security-level": "medium"},
+}
+object_assignments = {
+ "vm0": {"object-security-level": "medium"},
+ "vm1": {"object-security-level": "low"},
+}
+action_assignments = {
+ "start": {"action-type": "vm-action"},
+ "stop": {"action-type": "vm-action"}
+}
+
+meta_rule = {
+ "mls": {"id": "", "value": ("subject-security-level", "object-security-level", "action-type")},
+}
+
+rules = {
+ "mls": (
+ {
+ "rules": ("high", "medium", "vm-action"),
+ "instructions": ({"decision": "grant"})
+ },
+ {
+ "rules": ("high", "low", "vm-action"),
+ "instructions": ({"decision": "grant"})
+ },
+ {
+ "rules": ("medium", "low", "vm-action"),
+ "instructions": ({"decision": "grant"})
+ },
+ )
+}
diff --git a/tests/functional/scenario/rbac.py b/tests/functional/scenario/rbac.py
new file mode 100644
index 00000000..89fd7de8
--- /dev/null
+++ b/tests/functional/scenario/rbac.py
@@ -0,0 +1,44 @@
+
+pdp_name = "pdp1"
+policy_name = "RBAC policy example"
+model_name = "RBAC"
+policy_genre = "authz"
+
+subjects = {"user0": "", "user1": "", }
+objects = {"vm0": "", "vm1": "", }
+actions = {"start": "", "stop": ""}
+
+subject_categories = {"role": "", }
+object_categories = {"id": "", }
+action_categories = {"action-type": "", }
+
+subject_data = {"role": {"admin": "", "employee": "", "*": ""}}
+object_data = {"id": {"vm0": "", "vm1": "", "*": ""}}
+action_data = {"action-type": {"vm-action": "", "*": ""}}
+
+subject_assignments = {"user0": ({"role": "employee"}, {"role": "*"}), "user1": ({"role": "employee"}, {"role": "*"}), }
+object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})}
+action_assignments = {"start": ({"action-type": "vm-action"}, {"action-type": "*"}), "stop": ({"action-type": "vm-action"}, {"action-type": "*"})}
+
+meta_rule = {
+ "rbac": {"id": "", "value": ("role", "id", "action-type")},
+}
+
+rules = {
+ "rbac": (
+ {
+ "rule": ("admin", "vm0", "vm-action"),
+ "instructions": (
+ {"decision": "grant"}, # "grant" to immediately exit, "continue" to wait for the result of next policy
+ )
+ },
+ {
+ "rule": ("employee", "vm1", "vm-action"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ )
+}
+
+
diff --git a/tests/functional/scenario/rbac_custom_100.py b/tests/functional/scenario/rbac_custom_100.py
new file mode 100644
index 00000000..9ee55dbd
--- /dev/null
+++ b/tests/functional/scenario/rbac_custom_100.py
@@ -0,0 +1,89 @@
+import random
+
+pdp_name = "pdp_100"
+policy_name = "RBAC policy example 100 users"
+model_name = "RBAC"
+policy_genre = "authz"
+
+SUBJECT_NUMBER = 100
+OBJECT_NUMBER = 100
+ROLE_NUMBER = 50
+
+subjects = {}
+for _id in range(SUBJECT_NUMBER):
+ subjects["user{}".format(_id)] = ""
+objects = {}
+for _id in range(OBJECT_NUMBER):
+ objects["vm{}".format(_id)] = ""
+actions = {
+ "start": "",
+ "stop": "",
+ "pause": "",
+ "unpause": "",
+ "destroy": "",
+}
+
+subject_categories = {"role": "", }
+object_categories = {"id": "", }
+action_categories = {"action-type": "", }
+
+subject_data = {"role": {"admin": "", "*": ""}}
+for _id in range(ROLE_NUMBER):
+ subject_data["role"]["role{}".format(_id)] = ""
+object_data = {"id": {"*": ""}}
+for _id in range(OBJECT_NUMBER):
+ object_data["id"]["vm{}".format(_id)] = ""
+action_data = {"action-type": {
+ "vm-read": "",
+ "vm-write": "",
+ "*": ""
+}}
+
+subject_assignments = {}
+for _id in range(SUBJECT_NUMBER):
+ _role = "role{}".format(random.randrange(ROLE_NUMBER))
+ subject_assignments["user{}".format(_id)] = [{"role": _role}, {"role": "*"}]
+object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})}
+for _id in range(OBJECT_NUMBER):
+ object_assignments["vm{}".format(_id)] = [{"id": "vm{}".format(_id)}, {"id": "*"}]
+action_assignments = {
+ "start": ({"action-type": "vm-write"}, {"action-type": "*"}),
+ "stop": ({"action-type": "vm-write"}, {"action-type": "*"}),
+ "pause": ({"action-type": "vm-read"}, {"action-type": "*"}),
+ "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}),
+ "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}),
+}
+
+meta_rule = {
+ "rbac": {"id": "", "value": ("role", "id", "action-type")},
+}
+
+rules = {
+ "rbac": [
+ {
+ "rule": ("admin", "vm0", "vm-read"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("admin", "vm0", "vm-write"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ ]
+}
+
+for _id in range(SUBJECT_NUMBER):
+ _role = "role{}".format(random.randrange(ROLE_NUMBER))
+ _vm = "vm{}".format(random.randrange(OBJECT_NUMBER))
+ _action = random.choice(list(action_data['action-type'].keys()))
+ rules["rbac"].append(
+ {
+ "rule": (_role, _vm, _action),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ )
diff --git a/tests/functional/scenario/rbac_custom_1000.py b/tests/functional/scenario/rbac_custom_1000.py
new file mode 100644
index 00000000..d6850485
--- /dev/null
+++ b/tests/functional/scenario/rbac_custom_1000.py
@@ -0,0 +1,89 @@
+import random
+
+pdp_name = "pdp_1000"
+policy_name = "RBAC policy example 1000 users"
+model_name = "RBAC"
+policy_genre = "authz"
+
+SUBJECT_NUMBER = 1000
+OBJECT_NUMBER = 500
+ROLE_NUMBER = 50
+
+subjects = {}
+for _id in range(SUBJECT_NUMBER):
+ subjects["user{}".format(_id)] = ""
+objects = {}
+for _id in range(OBJECT_NUMBER):
+ objects["vm{}".format(_id)] = ""
+actions = {
+ "start": "",
+ "stop": "",
+ "pause": "",
+ "unpause": "",
+ "destroy": "",
+}
+
+subject_categories = {"role": "", }
+object_categories = {"id": "", }
+action_categories = {"action-type": "", }
+
+subject_data = {"role": {"admin": "", "*": ""}}
+for _id in range(ROLE_NUMBER):
+ subject_data["role"]["role{}".format(_id)] = ""
+object_data = {"id": {"*": ""}}
+for _id in range(OBJECT_NUMBER):
+ object_data["id"]["vm{}".format(_id)] = ""
+action_data = {"action-type": {
+ "vm-read": "",
+ "vm-write": "",
+ "*": ""
+}}
+
+subject_assignments = {}
+for _id in range(SUBJECT_NUMBER):
+ _role = "role{}".format(random.randrange(ROLE_NUMBER))
+ subject_assignments["user{}".format(_id)] = [{"role": _role}, {"role": "*"}]
+object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})}
+for _id in range(OBJECT_NUMBER):
+ object_assignments["vm{}".format(_id)] = [{"id": "vm{}".format(_id)}, {"id": "*"}]
+action_assignments = {
+ "start": ({"action-type": "vm-write"}, {"action-type": "*"}),
+ "stop": ({"action-type": "vm-write"}, {"action-type": "*"}),
+ "pause": ({"action-type": "vm-read"}, {"action-type": "*"}),
+ "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}),
+ "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}),
+}
+
+meta_rule = {
+ "rbac": {"id": "", "value": ("role", "id", "action-type")},
+}
+
+rules = {
+ "rbac": [
+ {
+ "rule": ("admin", "vm0", "vm-read"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("admin", "vm0", "vm-write"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ ]
+}
+
+for _id in range(SUBJECT_NUMBER):
+ _role = "role{}".format(random.randrange(ROLE_NUMBER))
+ _vm = "vm{}".format(random.randrange(OBJECT_NUMBER))
+ _action = random.choice(list(action_data['action-type'].keys()))
+ rules["rbac"].append(
+ {
+ "rule": (_role, _vm, _action),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ )
diff --git a/tests/functional/scenario/rbac_custom_50.py b/tests/functional/scenario/rbac_custom_50.py
new file mode 100644
index 00000000..e1437cf4
--- /dev/null
+++ b/tests/functional/scenario/rbac_custom_50.py
@@ -0,0 +1,89 @@
+import random
+
+pdp_name = "pdp_50"
+policy_name = "RBAC policy example 50 users"
+model_name = "RBAC"
+policy_genre = "authz"
+
+SUBJECT_NUMBER = 50
+OBJECT_NUMBER = 50
+ROLE_NUMBER = 10
+
+subjects = {}
+for _id in range(SUBJECT_NUMBER):
+ subjects["user{}".format(_id)] = ""
+objects = {}
+for _id in range(OBJECT_NUMBER):
+ objects["vm{}".format(_id)] = ""
+actions = {
+ "start": "",
+ "stop": "",
+ "pause": "",
+ "unpause": "",
+ "destroy": "",
+}
+
+subject_categories = {"role": "", }
+object_categories = {"id": "", }
+action_categories = {"action-type": "", }
+
+subject_data = {"role": {"admin": "", "*": ""}}
+for _id in range(ROLE_NUMBER):
+ subject_data["role"]["role{}".format(_id)] = ""
+object_data = {"id": {"*": ""}}
+for _id in range(OBJECT_NUMBER):
+ object_data["id"]["vm{}".format(_id)] = ""
+action_data = {"action-type": {
+ "vm-read": "",
+ "vm-write": "",
+ "*": ""
+}}
+
+subject_assignments = {}
+for _id in range(SUBJECT_NUMBER):
+ _role = "role{}".format(random.randrange(ROLE_NUMBER))
+ subject_assignments["user{}".format(_id)] = [{"role": _role}, {"role": "*"}]
+object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})}
+for _id in range(OBJECT_NUMBER):
+ object_assignments["vm{}".format(_id)] = [{"id": "vm{}".format(_id)}, {"id": "*"}]
+action_assignments = {
+ "start": ({"action-type": "vm-write"}, {"action-type": "*"}),
+ "stop": ({"action-type": "vm-write"}, {"action-type": "*"}),
+ "pause": ({"action-type": "vm-read"}, {"action-type": "*"}),
+ "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}),
+ "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}),
+}
+
+meta_rule = {
+ "rbac": {"id": "", "value": ("role", "id", "action-type")},
+}
+
+rules = {
+ "rbac": [
+ {
+ "rule": ("admin", "vm0", "vm-read"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("admin", "vm0", "vm-write"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ ]
+}
+
+for _id in range(SUBJECT_NUMBER):
+ _role = "role{}".format(random.randrange(ROLE_NUMBER))
+ _vm = "vm{}".format(random.randrange(OBJECT_NUMBER))
+ _action = random.choice(list(action_data['action-type'].keys()))
+ rules["rbac"].append(
+ {
+ "rule": (_role, _vm, _action),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ )
diff --git a/tests/functional/scenario/rbac_large.py b/tests/functional/scenario/rbac_large.py
new file mode 100644
index 00000000..ef5dd9b2
--- /dev/null
+++ b/tests/functional/scenario/rbac_large.py
@@ -0,0 +1,233 @@
+
+pdp_name = "pdp1"
+policy_name = "RBAC policy example"
+model_name = "RBAC"
+policy_genre = "authz"
+
+subjects = {
+ "user0": "",
+ "user1": "",
+ "user2": "",
+ "user3": "",
+ "user4": "",
+ "user5": "",
+ "user6": "",
+ "user7": "",
+ "user8": "",
+ "user9": "",
+}
+objects = {
+ "vm0": "",
+ "vm1": "",
+ "vm2": "",
+ "vm3": "",
+ "vm4": "",
+ "vm5": "",
+ "vm6": "",
+ "vm7": "",
+ "vm8": "",
+ "vm9": "",
+}
+actions = {
+ "start": "",
+ "stop": "",
+ "pause": "",
+ "unpause": "",
+ "destroy": "",
+}
+
+subject_categories = {"role": "", }
+object_categories = {"id": "", }
+action_categories = {"action-type": "", }
+
+subject_data = {"role": {
+ "admin": "",
+ "employee": "",
+ "dev1": "",
+ "dev2": "",
+ "*": ""
+}}
+object_data = {"id": {
+ "vm0": "",
+ "vm1": "",
+ "vm2": "",
+ "vm3": "",
+ "vm4": "",
+ "vm5": "",
+ "vm6": "",
+ "vm7": "",
+ "vm8": "",
+ "vm9": "",
+ "*": ""
+}}
+action_data = {"action-type": {
+ "vm-read": "",
+ "vm-write": "",
+ "*": ""
+}}
+
+subject_assignments = {
+ "user0": ({"role": "employee"}, {"role": "*"}),
+ "user1": ({"role": "employee"}, {"role": "*"}),
+ "user2": ({"role": "dev1"}, {"role": "*"}),
+ "user3": ({"role": "dev1"}, {"role": "*"}),
+ "user4": ({"role": "dev1"}, {"role": "*"}),
+ "user5": ({"role": "dev1"}, {"role": "*"}),
+ "user6": ({"role": "dev2"}, {"role": "*"}),
+ "user7": ({"role": "dev2"}, {"role": "*"}),
+ "user8": ({"role": "dev2"}, {"role": "*"}),
+ "user9": ({"role": "dev2"}, {"role": "*"}),
+}
+object_assignments = {
+ "vm0": ({"id": "vm0"}, {"id": "*"}),
+ "vm1": ({"id": "vm1"}, {"id": "*"}),
+ "vm2": ({"id": "vm2"}, {"id": "*"}),
+ "vm3": ({"id": "vm3"}, {"id": "*"}),
+ "vm4": ({"id": "vm4"}, {"id": "*"}),
+ "vm5": ({"id": "vm5"}, {"id": "*"}),
+ "vm6": ({"id": "vm6"}, {"id": "*"}),
+ "vm7": ({"id": "vm7"}, {"id": "*"}),
+ "vm8": ({"id": "vm8"}, {"id": "*"}),
+ "vm9": ({"id": "vm9"}, {"id": "*"}),
+}
+action_assignments = {
+ "start": ({"action-type": "vm-write"}, {"action-type": "*"}),
+ "stop": ({"action-type": "vm-write"}, {"action-type": "*"}),
+ "pause": ({"action-type": "vm-read"}, {"action-type": "*"}),
+ "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}),
+ "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}),
+}
+
+meta_rule = {
+ "rbac": {"id": "", "value": ("role", "id", "action-type")},
+}
+
+rules = {
+ "rbac": (
+ {
+ "rule": ("admin", "vm0", "vm-read"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("admin", "vm0", "vm-write"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ # Rules for grant all employee to do read actions to all VM except vm0
+ {
+ "rule": ("employee", "vm1", "vm-read"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("employee", "vm2", "vm-read"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("employee", "vm3", "vm-read"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("employee", "vm4", "vm-read"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("employee", "vm5", "vm-read"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("employee", "vm6", "vm-read"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("employee", "vm7", "vm-read"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("employee", "vm8", "vm-read"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("employee", "vm9", "vm-read"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ # Rules for grant all dev1 to do read actions to some VM
+ {
+ "rule": ("dev1", "vm1", "vm-write"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("dev1", "vm2", "vm-write"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("dev1", "vm3", "vm-write"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("dev1", "vm4", "vm-write"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ # Rules for grant all dev2 to do read actions to some VM
+ {
+ "rule": ("dev2", "vm5", "vm-write"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("dev2", "vm6", "vm-write"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("dev2", "vm7", "vm-write"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("dev2", "vm8", "vm-write"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ {
+ "rule": ("dev2", "vm9", "vm-write"),
+ "instructions": (
+ {"decision": "grant"},
+ )
+ },
+ )
+}
+
+
diff --git a/tests/functional/scenario/rbac_mls.py b/tests/functional/scenario/rbac_mls.py
new file mode 100644
index 00000000..8a5362ea
--- /dev/null
+++ b/tests/functional/scenario/rbac_mls.py
@@ -0,0 +1,50 @@
+
+pdp_name = "pdp1"
+policy_name = "Multi policy example"
+model_name = "RBAC"
+
+subjects = {"user0": "", "user1": "", "user2": "", }
+objects = {"vm0": "", "vm1": "", }
+actions = {"start": "", "stop": ""}
+
+subject_categories = {"role": "", "subject-security-level": "", }
+object_categories = {"id": "", "object-security-level": "", }
+action_categories = {"action-type": "", }
+
+subject_data = {
+ "role": {"admin": "", "employee": ""},
+ "subject-security-level": {"low": "", "medium": "", "high": ""},
+}
+object_data = {
+ "id": {"vm1": "", "vm2": ""},
+ "object-security-level": {"low": "", "medium": "", "high": ""},
+}
+action_data = {"action-type": {"vm-action": "", "storage-action": "", }}
+
+subject_assignments = {
+ "user0": {"role": "admin", "subject-security-level": "high"},
+ "user1": {"role": "employee", "subject-security-level": "medium"},
+}
+object_assignments = {
+ "vm0": {"id": "vm1", "object-security-level": "medium"},
+ "vm1": {"id": "vm2", "object-security-level": "low"},
+}
+action_assignments = {
+ "start": {"action-type": "vm-action"},
+ "stop": {"action-type": "vm-action"}
+}
+
+meta_rule = {
+ "rbac": {"id": "", "value": ("role", "id", "action-type")},
+ "mls": {"id": "", "value": ("subject-security-level", "object-security-level", "action-type")},
+}
+
+rules = {
+ "rbac": (
+ ("admin", "vm1", "vm-action"),
+ ),
+ "mls": (
+ ("high", "medium", "vm-action"),
+ ("medium", "low", "vm-action"),
+ )
+}
diff --git a/tests/functional/scenario/session.py b/tests/functional/scenario/session.py
new file mode 100644
index 00000000..97d7aec3
--- /dev/null
+++ b/tests/functional/scenario/session.py
@@ -0,0 +1,60 @@
+
+pdp_name = "pdp1"
+policy_name = "Session policy example"
+model_name = "Session"
+policy_genre = "session"
+
+subjects = {"user0": "", "user1": "", }
+objects = {"admin": "", "employee": "", }
+actions = {"activate": "", "deactivate": ""}
+
+subject_categories = {"subjectid": "", }
+object_categories = {"role": "", }
+action_categories = {"session-action": "", }
+
+subject_data = {"subjectid": {"user0": "", "user1": ""}}
+object_data = {"role": {"admin": "", "employee": "", "*": ""}}
+action_data = {"session-action": {"activate": "", "deactivate": "", "*": ""}}
+
+subject_assignments = {"user0": ({"subjectid": "user0"}, ), "user1": ({"subjectid": "user1"}, ), }
+object_assignments = {"admin": ({"role": "admin"}, {"role": "*"}),
+ "employee": ({"role": "employee"}, {"role": "employee"})
+ }
+action_assignments = {"activate": ({"session-action": "activate"}, {"session-action": "*"}, ),
+ "deactivate": ({"session-action": "deactivate"}, {"session-action": "*"}, )
+ }
+
+meta_rule = {
+ "session": {"id": "", "value": ("subjectid", "role", "session-action")},
+}
+
+rules = {
+ "session": (
+ {
+ "rule": ("user0", "employee", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user1", "employee", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "delete",
+ "target": "rbac:role:employee" # delete the role employee from the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ )
+}
+
+
diff --git a/tests/functional/scenario/session_large.py b/tests/functional/scenario/session_large.py
new file mode 100644
index 00000000..5b4a64b6
--- /dev/null
+++ b/tests/functional/scenario/session_large.py
@@ -0,0 +1,389 @@
+
+pdp_name = "pdp1"
+policy_name = "Session policy example"
+model_name = "Session"
+policy_genre = "session"
+
+subjects = {
+ "user0": "",
+ "user1": "",
+ "user2": "",
+ "user3": "",
+ "user4": "",
+ "user5": "",
+ "user6": "",
+ "user7": "",
+ "user8": "",
+ "user9": "",
+}
+objects = {"admin": "", "employee": "", "dev1": "", "dev2": "", }
+actions = {"activate": "", "deactivate": ""}
+
+subject_categories = {"subjectid": "", }
+object_categories = {"role": "", }
+action_categories = {"session-action": "", }
+
+subject_data = {"subjectid": {
+ "user0": "",
+ "user1": "",
+ "user2": "",
+ "user3": "",
+ "user4": "",
+ "user5": "",
+ "user6": "",
+ "user7": "",
+ "user8": "",
+ "user9": "",
+}}
+object_data = {"role": {
+ "admin": "",
+ "employee": "",
+ "dev1": "",
+ "dev2": "",
+ "*": ""
+}}
+action_data = {"session-action": {"activate": "", "deactivate": "", "*": ""}}
+
+subject_assignments = {
+ "user0": ({"subjectid": "user0"}, ),
+ "user1": ({"subjectid": "user1"}, ),
+ "user2": ({"subjectid": "user2"}, ),
+ "user3": ({"subjectid": "user3"}, ),
+ "user4": ({"subjectid": "user4"}, ),
+ "user5": ({"subjectid": "user5"}, ),
+ "user6": ({"subjectid": "user6"}, ),
+ "user7": ({"subjectid": "user7"}, ),
+ "user8": ({"subjectid": "user8"}, ),
+ "user9": ({"subjectid": "user9"}, ),
+}
+object_assignments = {"admin": ({"role": "admin"}, {"role": "*"}),
+ "employee": ({"role": "employee"}, {"role": "*"}),
+ "dev1": ({"role": "employee"}, {"role": "dev1"}, {"role": "*"}),
+ "dev2": ({"role": "employee"}, {"role": "dev2"}, {"role": "*"}),
+ }
+action_assignments = {"activate": ({"session-action": "activate"}, {"session-action": "*"}, ),
+ "deactivate": ({"session-action": "deactivate"}, {"session-action": "*"}, )
+ }
+
+meta_rule = {
+ "session": {"id": "", "value": ("subjectid", "role", "session-action")},
+}
+
+rules = {
+ "session": (
+ {
+ "rule": ("user0", "employee", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user1", "employee", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "delete",
+ "target": "rbac:role:employee" # delete the role employee from the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user2", "employee", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user2", "dev1", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user2", "dev2", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user3", "employee", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user3", "dev1", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user3", "dev2", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user4", "employee", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user4", "dev1", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user4", "dev2", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user5", "employee", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user5", "dev1", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user5", "dev2", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user6", "employee", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user6", "dev1", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user6", "dev2", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user7", "employee", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user7", "dev1", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user7", "dev2", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user8", "employee", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user8", "dev1", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user8", "dev2", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user9", "employee", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user9", "dev1", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ {
+ "rule": ("user9", "dev2", "*"),
+ "instructions": (
+ {
+ "update": {
+ "operation": "add",
+ "target": "rbac:role:admin" # add the role admin to the current user
+ }
+ },
+ {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac
+ )
+ },
+ )
+}
+
+
diff --git a/tests/functional/send_authz.py b/tests/functional/send_authz.py
new file mode 100644
index 00000000..b4ed1d2f
--- /dev/null
+++ b/tests/functional/send_authz.py
@@ -0,0 +1,32 @@
+from importlib.machinery import SourceFileLoader
+from python_moonclient import config, parse, models, policies, pdp, authz
+
+
+if __name__ == "__main__":
+ args = parse.parse()
+ consul_host = args.consul_host
+ consul_port = args.consul_port
+
+ models.init(consul_host, consul_port)
+ policies.init(consul_host, consul_port)
+ pdp.init(consul_host, consul_port)
+
+ if args.filename:
+ print("Loading: {}".format(args.filename[0]))
+ m = SourceFileLoader("scenario", args.filename[0])
+ scenario = m.load_module()
+
+ keystone_project_id = pdp.get_keystone_id(args.pdp)
+ time_data = authz.send_requests(
+ scenario,
+ args.authz_host,
+ args.authz_port,
+ keystone_project_id,
+ request_second=args.request_second,
+ limit=args.limit,
+ dry_run=args.dry_run,
+ stress_test=args.stress_test,
+ destination=args.destination
+ )
+ if not args.dry_run:
+ authz.save_data(args.write, time_data)