From 170dab6c6c42f4edad70eddac81372a0a37a25f3 Mon Sep 17 00:00:00 2001 From: asteroide Date: Tue, 13 Jun 2017 21:53:28 +0200 Subject: Add testing tools Change-Id: If28e3a56a745faec09484fb6c20d6275aef113d4 --- moonv4/tests/02_smpolicy_chaining_overhead/exec.sh | 22 + moonv4/tests/02_smpolicy_chaining_overhead/plot.sh | 20 + .../tests/02_smpolicy_chaining_overhead/rbac_10.py | 233 +++++++ .../tests/02_smpolicy_chaining_overhead/rbac_20.py | 371 ++++++++++ .../02_smpolicy_chaining_overhead/session_10.py | 389 +++++++++++ .../02_smpolicy_chaining_overhead/session_20.py | 744 +++++++++++++++++++++ 6 files changed, 1779 insertions(+) create mode 100644 moonv4/tests/02_smpolicy_chaining_overhead/exec.sh create mode 100644 moonv4/tests/02_smpolicy_chaining_overhead/plot.sh create mode 100644 moonv4/tests/02_smpolicy_chaining_overhead/rbac_10.py create mode 100644 moonv4/tests/02_smpolicy_chaining_overhead/rbac_20.py create mode 100644 moonv4/tests/02_smpolicy_chaining_overhead/session_10.py create mode 100644 moonv4/tests/02_smpolicy_chaining_overhead/session_20.py (limited to 'moonv4/tests/02_smpolicy_chaining_overhead') diff --git a/moonv4/tests/02_smpolicy_chaining_overhead/exec.sh b/moonv4/tests/02_smpolicy_chaining_overhead/exec.sh new file mode 100644 index 00000000..3a10ef4a --- /dev/null +++ b/moonv4/tests/02_smpolicy_chaining_overhead/exec.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +TEST_SCRIPT=${MOON_HOME}/moon_interface/tests/apitests/set_authz.py +POPULATE_SCRIPT=${MOON_HOME}/moon_interface/tests/apitests/populate_default_values.py +RESULT_DIR=${MOON_HOME}/tests/02_smpolicy_chaining_overhead/10_users_rbac +SCENARIO_RBAC=${MOON_HOME}/tests/02_smpolicy_chaining_overhead/rbac_10.py +SCENARIO_SESSION=${MOON_HOME}/tests/02_smpolicy_chaining_overhead/session.py + +mkdir -p ${RESULT_DIR} 2>/dev/null + +python3 ${POPULATE_SCRIPT} ${SCENARIO_RBAC} +# python3 ${POPULATE_SCRIPT} ${SCENARIO_SESSION} + +python3 ${TEST_SCRIPT} --request-per-second 1 --write="${RESULT_DIR}/data_1.json" --write-html="${RESULT_DIR}/data_1.html" ${SCENARIO_RBAC} +python3 ${TEST_SCRIPT} --request-per-second 2 --write="${RESULT_DIR}/data_2.json" --write-html="${RESULT_DIR}/data_2.html" ${SCENARIO_RBAC} +python3 ${TEST_SCRIPT} --request-per-second 3 --write="${RESULT_DIR}/data_3.json" --write-html="${RESULT_DIR}/data_3.html" ${SCENARIO_RBAC} +python3 ${TEST_SCRIPT} --request-per-second 4 --write="${RESULT_DIR}/data_4.json" --write-html="${RESULT_DIR}/data_4.html" ${SCENARIO_RBAC} +python3 ${TEST_SCRIPT} --request-per-second 5 --write="${RESULT_DIR}/data_5.json" --write-html="${RESULT_DIR}/data_5.html" ${SCENARIO_RBAC} +python3 ${TEST_SCRIPT} --request-per-second 10 --write="${RESULT_DIR}/data_10.json" --write-html="${RESULT_DIR}/data_10.html" ${SCENARIO_RBAC} +python3 ${TEST_SCRIPT} --request-per-second 15 --write="${RESULT_DIR}/data_15.json" --write-html="${RESULT_DIR}/data_15.html" ${SCENARIO_RBAC} +python3 ${TEST_SCRIPT} --request-per-second 20 --write="${RESULT_DIR}/data_20.json" --write-html="${RESULT_DIR}/data_20.html" ${SCENARIO_RBAC} +python3 ${TEST_SCRIPT} --request-per-second 25 --write="${RESULT_DIR}/data_25.json" --write-html="${RESULT_DIR}/data_25.html" ${SCENARIO_RBAC} diff --git a/moonv4/tests/02_smpolicy_chaining_overhead/plot.sh b/moonv4/tests/02_smpolicy_chaining_overhead/plot.sh new file mode 100644 index 00000000..e67babce --- /dev/null +++ b/moonv4/tests/02_smpolicy_chaining_overhead/plot.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +DIR=$1 + +cd ${DIR} + +python3 ${MOON_HOME}/moon_interface/tests/apitests/plot_json.py \ + --input="data_1.json,data_2.json,data_3.json,data_4.json,data_5.json,data_10.json,data_15.json,data_20.json" \ + --legend="1 req/s,2 req/s,3 req/s,4 req/s,5 req/s,10 req/s,15 req/s,20 req/s" \ + --plot-result="Deny" \ + --plot-average \ + -d +#python3 ${MOON_HOME}/moon_interface/tests/apitests/plot_json.py \ +# --input="data_1.json,data_5.json,data_10.json,data_15.json,data_20.json" \ +# --legend="1 req/s,5 req/s,10 req/s,15 req/s,20 req/s" \ +# -d +#python3 ${MOON_HOME}/moon_interface/tests/apitests/plot_json.py \ +# --input="data_1.json,data_2.json,data_3.json,data_4.json,data_5.json,data_10.json,data_15.json,data_20.json,data_25.json" \ +# --legend="1 req/s,2 req/s,3 req/s,4 req/s,5 req/s,10 req/s,15 req/s,20 req/s,25 req/s" \ +# -d diff --git a/moonv4/tests/02_smpolicy_chaining_overhead/rbac_10.py b/moonv4/tests/02_smpolicy_chaining_overhead/rbac_10.py new file mode 100644 index 00000000..ef5dd9b2 --- /dev/null +++ b/moonv4/tests/02_smpolicy_chaining_overhead/rbac_10.py @@ -0,0 +1,233 @@ + +pdp_name = "pdp1" +policy_name = "RBAC policy example" +model_name = "RBAC" +policy_genre = "authz" + +subjects = { + "user0": "", + "user1": "", + "user2": "", + "user3": "", + "user4": "", + "user5": "", + "user6": "", + "user7": "", + "user8": "", + "user9": "", +} +objects = { + "vm0": "", + "vm1": "", + "vm2": "", + "vm3": "", + "vm4": "", + "vm5": "", + "vm6": "", + "vm7": "", + "vm8": "", + "vm9": "", +} +actions = { + "start": "", + "stop": "", + "pause": "", + "unpause": "", + "destroy": "", +} + +subject_categories = {"role": "", } +object_categories = {"id": "", } +action_categories = {"action-type": "", } + +subject_data = {"role": { + "admin": "", + "employee": "", + "dev1": "", + "dev2": "", + "*": "" +}} +object_data = {"id": { + "vm0": "", + "vm1": "", + "vm2": "", + "vm3": "", + "vm4": "", + "vm5": "", + "vm6": "", + "vm7": "", + "vm8": "", + "vm9": "", + "*": "" +}} +action_data = {"action-type": { + "vm-read": "", + "vm-write": "", + "*": "" +}} + +subject_assignments = { + "user0": ({"role": "employee"}, {"role": "*"}), + "user1": ({"role": "employee"}, {"role": "*"}), + "user2": ({"role": "dev1"}, {"role": "*"}), + "user3": ({"role": "dev1"}, {"role": "*"}), + "user4": ({"role": "dev1"}, {"role": "*"}), + "user5": ({"role": "dev1"}, {"role": "*"}), + "user6": ({"role": "dev2"}, {"role": "*"}), + "user7": ({"role": "dev2"}, {"role": "*"}), + "user8": ({"role": "dev2"}, {"role": "*"}), + "user9": ({"role": "dev2"}, {"role": "*"}), +} +object_assignments = { + "vm0": ({"id": "vm0"}, {"id": "*"}), + "vm1": ({"id": "vm1"}, {"id": "*"}), + "vm2": ({"id": "vm2"}, {"id": "*"}), + "vm3": ({"id": "vm3"}, {"id": "*"}), + "vm4": ({"id": "vm4"}, {"id": "*"}), + "vm5": ({"id": "vm5"}, {"id": "*"}), + "vm6": ({"id": "vm6"}, {"id": "*"}), + "vm7": ({"id": "vm7"}, {"id": "*"}), + "vm8": ({"id": "vm8"}, {"id": "*"}), + "vm9": ({"id": "vm9"}, {"id": "*"}), +} +action_assignments = { + "start": ({"action-type": "vm-write"}, {"action-type": "*"}), + "stop": ({"action-type": "vm-write"}, {"action-type": "*"}), + "pause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}), +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, +} + +rules = { + "rbac": ( + { + "rule": ("admin", "vm0", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("admin", "vm0", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + # Rules for grant all employee to do read actions to all VM except vm0 + { + "rule": ("employee", "vm1", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm2", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm3", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm4", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm5", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm6", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm7", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm8", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm9", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + # Rules for grant all dev1 to do read actions to some VM + { + "rule": ("dev1", "vm1", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev1", "vm2", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev1", "vm3", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev1", "vm4", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + # Rules for grant all dev2 to do read actions to some VM + { + "rule": ("dev2", "vm5", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev2", "vm6", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev2", "vm7", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev2", "vm8", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev2", "vm9", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + ) +} + + diff --git a/moonv4/tests/02_smpolicy_chaining_overhead/rbac_20.py b/moonv4/tests/02_smpolicy_chaining_overhead/rbac_20.py new file mode 100644 index 00000000..b1a72769 --- /dev/null +++ b/moonv4/tests/02_smpolicy_chaining_overhead/rbac_20.py @@ -0,0 +1,371 @@ + +pdp_name = "pdp1" +policy_name = "RBAC policy example" +model_name = "RBAC" +policy_genre = "authz" + +subjects = { + "user0": "", + "user1": "", + "user2": "", + "user3": "", + "user4": "", + "user5": "", + "user6": "", + "user7": "", + "user8": "", + "user9": "", + "user10": "", + "user11": "", + "user12": "", + "user13": "", + "user14": "", + "user15": "", + "user16": "", + "user17": "", + "user18": "", + "user19": "", +} +objects = { + "vm0": "", + "vm1": "", + "vm2": "", + "vm3": "", + "vm4": "", + "vm5": "", + "vm6": "", + "vm7": "", + "vm8": "", + "vm9": "", +} +actions = { + "start": "", + "stop": "", + "pause": "", + "unpause": "", + "destroy": "", +} + +subject_categories = {"role": "", } +object_categories = {"id": "", } +action_categories = {"action-type": "", } + +subject_data = {"role": { + "admin": "", + "employee": "", + "dev1": "", + "dev2": "", + "dev3": "", + "dev4": "", + "dev5": "", + "dev6": "", + "dev7": "", + "dev8": "", + "*": "" +}} +object_data = {"id": { + "vm0": "", + "vm1": "", + "vm2": "", + "vm3": "", + "vm4": "", + "vm5": "", + "vm6": "", + "vm7": "", + "vm8": "", + "vm9": "", + "*": "" +}} +action_data = {"action-type": { + "vm-read": "", + "vm-write": "", + "*": "" +}} + +subject_assignments = { + "user0": ({"role": "employee"}, {"role": "*"}), + "user1": ({"role": "employee"}, {"role": "*"}), + "user2": ({"role": "dev1"}, {"role": "*"}), + "user3": ({"role": "dev1"}, {"role": "*"}), + "user4": ({"role": "dev1"}, {"role": "*"}), + "user5": ({"role": "dev1"}, {"role": "*"}), + "user6": ({"role": "dev2"}, {"role": "*"}), + "user7": ({"role": "dev2"}, {"role": "*"}), + "user8": ({"role": "dev2"}, {"role": "*"}), + "user9": ({"role": "dev2"}, {"role": "*"}), + "user10": ({"role": "employee"}, {"role": "*"}), + "user11": ({"role": "employee"}, {"role": "*"}), + "user12": ({"role": "dev3"}, {"role": "*"}), + "user13": ({"role": "dev3"}, {"role": "*"}), + "user14": ({"role": "dev4"}, {"role": "*"}), + "user15": ({"role": "dev4"}, {"role": "*"}), + "user16": ({"role": "dev5"}, {"role": "*"}), + "user17": ({"role": "dev6"}, {"role": "*"}), + "user18": ({"role": "dev7"}, {"role": "*"}), + "user19": ({"role": "dev8"}, {"role": "*"}), +} +object_assignments = { + "vm0": ({"id": "vm0"}, {"id": "*"}), + "vm1": ({"id": "vm1"}, {"id": "*"}), + "vm2": ({"id": "vm2"}, {"id": "*"}), + "vm3": ({"id": "vm3"}, {"id": "*"}), + "vm4": ({"id": "vm4"}, {"id": "*"}), + "vm5": ({"id": "vm5"}, {"id": "*"}), + "vm6": ({"id": "vm6"}, {"id": "*"}), + "vm7": ({"id": "vm7"}, {"id": "*"}), + "vm8": ({"id": "vm8"}, {"id": "*"}), + "vm9": ({"id": "vm9"}, {"id": "*"}), +} +action_assignments = { + "start": ({"action-type": "vm-write"}, {"action-type": "*"}), + "stop": ({"action-type": "vm-write"}, {"action-type": "*"}), + "pause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}), +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, +} + +rules = { + "rbac": ( + { + "rule": ("admin", "vm0", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("admin", "vm0", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + # Rules for grant all employee to do read actions to all VM except vm0 + { + "rule": ("employee", "vm1", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm2", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm3", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm4", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm5", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm6", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm7", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm8", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm9", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + # Rules for grant all dev1 to do read actions to some VM + { + "rule": ("dev1", "vm1", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev1", "vm2", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev1", "vm3", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev1", "vm4", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + # Rules for grant all dev2 to do read actions to some VM + { + "rule": ("dev2", "vm5", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev2", "vm6", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev2", "vm7", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev2", "vm8", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev2", "vm9", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + # Rules for grant all dev3 to do read actions to some VM + { + "rule": ("dev3", "vm1", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev3", "vm2", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev3", "vm3", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev3", "vm4", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + # Rules for grant all dev4 to do read actions to some VM + { + "rule": ("dev4", "vm5", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev4", "vm6", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev4", "vm7", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev4", "vm8", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev4", "vm9", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + # Rules for grant all dev5 to do read actions to some VM + { + "rule": ("dev5", "vm1", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev5", "vm2", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev5", "vm3", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev5", "vm4", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + # Rules for grant all dev6 to do read actions to some VM + { + "rule": ("dev6", "vm5", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev6", "vm6", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev6", "vm7", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev6", "vm8", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev6", "vm9", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + ) +} + + diff --git a/moonv4/tests/02_smpolicy_chaining_overhead/session_10.py b/moonv4/tests/02_smpolicy_chaining_overhead/session_10.py new file mode 100644 index 00000000..5b4a64b6 --- /dev/null +++ b/moonv4/tests/02_smpolicy_chaining_overhead/session_10.py @@ -0,0 +1,389 @@ + +pdp_name = "pdp1" +policy_name = "Session policy example" +model_name = "Session" +policy_genre = "session" + +subjects = { + "user0": "", + "user1": "", + "user2": "", + "user3": "", + "user4": "", + "user5": "", + "user6": "", + "user7": "", + "user8": "", + "user9": "", +} +objects = {"admin": "", "employee": "", "dev1": "", "dev2": "", } +actions = {"activate": "", "deactivate": ""} + +subject_categories = {"subjectid": "", } +object_categories = {"role": "", } +action_categories = {"session-action": "", } + +subject_data = {"subjectid": { + "user0": "", + "user1": "", + "user2": "", + "user3": "", + "user4": "", + "user5": "", + "user6": "", + "user7": "", + "user8": "", + "user9": "", +}} +object_data = {"role": { + "admin": "", + "employee": "", + "dev1": "", + "dev2": "", + "*": "" +}} +action_data = {"session-action": {"activate": "", "deactivate": "", "*": ""}} + +subject_assignments = { + "user0": ({"subjectid": "user0"}, ), + "user1": ({"subjectid": "user1"}, ), + "user2": ({"subjectid": "user2"}, ), + "user3": ({"subjectid": "user3"}, ), + "user4": ({"subjectid": "user4"}, ), + "user5": ({"subjectid": "user5"}, ), + "user6": ({"subjectid": "user6"}, ), + "user7": ({"subjectid": "user7"}, ), + "user8": ({"subjectid": "user8"}, ), + "user9": ({"subjectid": "user9"}, ), +} +object_assignments = {"admin": ({"role": "admin"}, {"role": "*"}), + "employee": ({"role": "employee"}, {"role": "*"}), + "dev1": ({"role": "employee"}, {"role": "dev1"}, {"role": "*"}), + "dev2": ({"role": "employee"}, {"role": "dev2"}, {"role": "*"}), + } +action_assignments = {"activate": ({"session-action": "activate"}, {"session-action": "*"}, ), + "deactivate": ({"session-action": "deactivate"}, {"session-action": "*"}, ) + } + +meta_rule = { + "session": {"id": "", "value": ("subjectid", "role", "session-action")}, +} + +rules = { + "session": ( + { + "rule": ("user0", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user1", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "delete", + "target": "rbac:role:employee" # delete the role employee from the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user2", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user2", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user2", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user3", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user3", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user3", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user4", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user4", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user4", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user5", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user5", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user5", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user6", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user6", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user6", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user7", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user7", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user7", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user8", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user8", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user8", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user9", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user9", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user9", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + ) +} + + diff --git a/moonv4/tests/02_smpolicy_chaining_overhead/session_20.py b/moonv4/tests/02_smpolicy_chaining_overhead/session_20.py new file mode 100644 index 00000000..d548f29e --- /dev/null +++ b/moonv4/tests/02_smpolicy_chaining_overhead/session_20.py @@ -0,0 +1,744 @@ + +pdp_name = "pdp1" +policy_name = "Session policy example" +model_name = "Session" +policy_genre = "session" + +subjects = { + "user0": "", + "user1": "", + "user2": "", + "user3": "", + "user4": "", + "user5": "", + "user6": "", + "user7": "", + "user8": "", + "user9": "", + "user10": "", + "user11": "", + "user12": "", + "user13": "", + "user14": "", + "user15": "", + "user16": "", + "user17": "", + "user18": "", + "user19": "", +} +objects = {"admin": "", "employee": "", "dev1": "", "dev3": "", + "dev4": "", "dev5": "", "dev6": "", "dev7": "", "dev8": ""} +actions = {"activate": "", "deactivate": ""} + +subject_categories = {"subjectid": "", } +object_categories = {"role": "", } +action_categories = {"session-action": "", } + +subject_data = {"subjectid": { + "user0": "", + "user1": "", + "user2": "", + "user3": "", + "user4": "", + "user5": "", + "user6": "", + "user7": "", + "user8": "", + "user9": "", + "user10": "", + "user11": "", + "user12": "", + "user13": "", + "user14": "", + "user15": "", + "user16": "", + "user17": "", + "user18": "", + "user19": "", +}} +object_data = {"role": { + "admin": "", + "employee": "", + "dev1": "", + "dev2": "", + "dev3": "", + "dev4": "", + "dev5": "", + "dev6": "", + "dev7": "", + "dev8": "", + "*": "" +}} +action_data = {"session-action": {"activate": "", "deactivate": "", "*": ""}} + +subject_assignments = { + "user0": ({"subjectid": "user0"}, ), + "user1": ({"subjectid": "user1"}, ), + "user2": ({"subjectid": "user2"}, ), + "user3": ({"subjectid": "user3"}, ), + "user4": ({"subjectid": "user4"}, ), + "user5": ({"subjectid": "user5"}, ), + "user6": ({"subjectid": "user6"}, ), + "user7": ({"subjectid": "user7"}, ), + "user8": ({"subjectid": "user8"}, ), + "user9": ({"subjectid": "user9"}, ), + "user10": ({"subjectid": "user10"}, ), + "user11": ({"subjectid": "user11"}, ), + "user12": ({"subjectid": "user12"}, ), + "user13": ({"subjectid": "user13"}, ), + "user14": ({"subjectid": "user14"}, ), + "user15": ({"subjectid": "user15"}, ), + "user16": ({"subjectid": "user16"}, ), + "user17": ({"subjectid": "user17"}, ), + "user18": ({"subjectid": "user18"}, ), + "user19": ({"subjectid": "user19"}, ), +} +object_assignments = {"admin": ({"role": "admin"}, {"role": "*"}), + "employee": ({"role": "employee"}, {"role": "*"}), + "dev1": ({"role": "employee"}, {"role": "dev1"}, {"role": "*"}), + "dev2": ({"role": "employee"}, {"role": "dev2"}, {"role": "*"}), + "dev3": ({"role": "employee"}, {"role": "dev3"}, {"role": "*"}), + "dev4": ({"role": "employee"}, {"role": "dev4"}, {"role": "*"}), + "dev5": ({"role": "employee"}, {"role": "dev5"}, {"role": "*"}), + "dev6": ({"role": "employee"}, {"role": "dev6"}, {"role": "*"}), + "dev7": ({"role": "employee"}, {"role": "dev7"}, {"role": "*"}), + "dev8": ({"role": "employee"}, {"role": "dev8"}, {"role": "*"}), + } +action_assignments = {"activate": ({"session-action": "activate"}, {"session-action": "*"}, ), + "deactivate": ({"session-action": "deactivate"}, {"session-action": "*"}, ) + } + +meta_rule = { + "session": {"id": "", "value": ("subjectid", "role", "session-action")}, +} + +rules = { + "session": ( + { + "rule": ("user0", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user1", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "delete", + "target": "rbac:role:employee" # delete the role employee from the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user2", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user2", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user2", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user3", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user3", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user3", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user4", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user4", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user4", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user5", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user5", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user5", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user6", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user6", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user6", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user7", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user7", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user7", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user8", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user8", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user8", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user9", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user9", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user9", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user10", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user11", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "delete", + "target": "rbac:role:employee" # delete the role employee from the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user12", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user12", "dev3", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user12", "dev4", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user13", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user13", "dev3", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user13", "dev4", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user14", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user14", "dev3", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user14", "dev4", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user15", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user15", "dev3", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user15", "dev4", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user16", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user16", "dev3", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user16", "dev4", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user17", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user17", "dev3", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user17", "dev4", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user18", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user18", "dev3", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user18", "dev4", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user19", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user19", "dev3", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user19", "dev4", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user1 + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + ) +} + + -- cgit 1.2.3-korg