From 1100c66ce03a059ebe7ece9734e799b49b3a5a9e Mon Sep 17 00:00:00 2001 From: WuKong Date: Sat, 23 Dec 2017 21:49:35 +0100 Subject: moonv4 cleanup Change-Id: Icef927f3236d985ac13ff7376f6ce6314b2b39b0 Signed-off-by: WuKong --- tests/get_keystone_projects.py | 16 ++ tests/performance/README.md | 69 +++++++ tests/populate_default_values.py | 37 ++++ tests/run_tests.py | 186 ------------------ tests/run_tests.sh | 14 -- tests/scenario/delegation.py | 40 ++++ tests/scenario/mls.py | 54 +++++ tests/scenario/rbac.py | 44 +++++ tests/scenario/rbac_custom_100.py | 89 +++++++++ tests/scenario/rbac_custom_1000.py | 89 +++++++++ tests/scenario/rbac_custom_50.py | 89 +++++++++ tests/scenario/rbac_large.py | 233 ++++++++++++++++++++++ tests/scenario/rbac_mls.py | 50 +++++ tests/scenario/session.py | 60 ++++++ tests/scenario/session_large.py | 389 +++++++++++++++++++++++++++++++++++++ tests/send_authz.py | 32 +++ 16 files changed, 1291 insertions(+), 200 deletions(-) create mode 100644 tests/get_keystone_projects.py create mode 100644 tests/performance/README.md create mode 100644 tests/populate_default_values.py delete mode 100755 tests/run_tests.py delete mode 100755 tests/run_tests.sh create mode 100644 tests/scenario/delegation.py create mode 100644 tests/scenario/mls.py create mode 100644 tests/scenario/rbac.py create mode 100644 tests/scenario/rbac_custom_100.py create mode 100644 tests/scenario/rbac_custom_1000.py create mode 100644 tests/scenario/rbac_custom_50.py create mode 100644 tests/scenario/rbac_large.py create mode 100644 tests/scenario/rbac_mls.py create mode 100644 tests/scenario/session.py create mode 100644 tests/scenario/session_large.py create mode 100644 tests/send_authz.py (limited to 'tests') diff --git a/tests/get_keystone_projects.py b/tests/get_keystone_projects.py new file mode 100644 index 00000000..9b5d87cd --- /dev/null +++ b/tests/get_keystone_projects.py @@ -0,0 +1,16 @@ +from python_moonclient import parse, models, policies, pdp + + +if __name__ == "__main__": + args = parse.parse() + consul_host = args.consul_host + consul_port = args.consul_port + + models.init(consul_host, consul_port) + policies.init(consul_host, consul_port) + pdp.init(consul_host, consul_port) + + projects = pdp.get_keystone_projects() + + for _project in projects['projects']: + print("{} {}".format(_project['id'], _project['name'])) diff --git a/tests/performance/README.md b/tests/performance/README.md new file mode 100644 index 00000000..52613d2c --- /dev/null +++ b/tests/performance/README.md @@ -0,0 +1,69 @@ +# Moon Yardstick and Bottlenecks Performance Tests + +The main objective of this document is to describe the performance tests for the Moon project/module. +Moon is a security managment platform which provides a set of security functions to project the underlying OPNFV infrastructure and/or VNFs. +Moon is consisted of 2 parts: a master and a set of slaves. The master holds all security-related information and each slave only fetches and holds +related informations for its local usage from master. + +## Moon Master Performance Tests +In this test, we should: +- setup a Moon master service on a physical server +- create a tenant/scope through the Moon master service +- create a MSL security policy with 4 subject security levels and 4 object security levels for this tenant + +- increase N to find the limit of the security policy (implemented in format of a Docker) + - create N users and N resources (VMs in our case) in this tenant + - simulate 2 operation requests per user per second to Moon's authorization endpoint + - gather performance metrics like CPU, memory, network usages + - throught the iteration, determine the capacity limit for one Docker + +- setup 20 user and 20 resources (VMs in our case) for one tenant + - increase the number of tenants to test the maximal number of tenants on the server + +- setup 5 tenants of N users and N resources (VMs in our case) in each tenant + - increase N by simulating 2 operation requests per user per second to the Moon's authorization endpoint + - gather performance metrics like CPU, memory, network usages + - throught the iteration, dermine the maximal user/resource number of these 5 tenants/Dockers on the server + +- setup 10 tenants of N users and N resources (VMs in our case) in each tenant + - increase N by simulating 2 operation requests per user per second to the Moon's authorization endpoint + - gather performance metrics like CPU, memory, network usages + - throught the iteration, dermine the maximal user/resource number of these 10 tenants/Dockers on the server + +- setup 20 tenants of N users and N resources (VMs in our case) in each tenant + - increase N by simulating 2 operation requests per user per second to the Moon's authorization endpoint + - gather performance metrics like CPU, memory, network usages + - throught the iteration, dermine the maximal user/resource number of these 20 tenants/Dockers on the server + +## Moon Slave Performace Tests +In this test, we should: +- setup a Moon master service on a physical server +- setup a Moon slave service on a physical server +- create a tenant/scope through the Moon master service +- create a MSL security policy with 4 subject security levels and 4 object security levels for this tenant through the Moon master service + +- increase N to find the limit of the security policy (implemented in format of a Docker) + - create N users and N resources (VMs in our case) in this tenant + - simulate 2 operation requests per user per second to Moon slave's authorizatoin endpoint + - gather performance metrics like CPU, memory, network usages of Moon slave + - throught the iteration, dermine the capacity limit for one Docker of Moon slave + +- setup 20 user and 20 resources (VMs in our case) for one tenant through the Moon slave service + - increate the number of tenants to test the maximal number of tenants on the server of the Moon slave + +- setup 5 tenants of N users and N resources (VMs in our case) in each tenant through the Moon master service + - increate N by simulating 2 operation requests per user per second to the Moon slave's authorization endpoint + - gather performance metrics like CPU, memory, network usages of both Moon master and Moon slave + - throught the iteration, dermine the maximal user/resource number of these 5 tenants/Dockers on the server of Moon slave + +- setup 10 tenants of N users and N resources (VMs in our case) in each tenant through the Moon master service + - increate N by simulating 2 operation requests per user per second to the Moon slave's authorization endpoint + - gather performance metrics like CPU, memory, network usages of both Moon master and slave + - throught the iteration, dermine the maximal user/resource number of these 10 tenants/Dockers on the server of the Moon slave + +- setup 20 tenants of N users and N resources (VMs in our case) in each tenant through the Moon master service + - increate N by simulating 2 operation requests per user per second to the Moon slave's authorization endpoint + - gather performance metrics like CPU, memory, network usages of both Moon master and slave + - throught the iteration, dermine the maximal user/resource number of these 20 tenants/Dockers on the server of the Moon slave + + diff --git a/tests/populate_default_values.py b/tests/populate_default_values.py new file mode 100644 index 00000000..d5a5769b --- /dev/null +++ b/tests/populate_default_values.py @@ -0,0 +1,37 @@ +import logging +from importlib.machinery import SourceFileLoader +from python_moonclient import parse, models, policies, pdp + +logger = logging.getLogger("moonforming") + + +if __name__ == "__main__": + requests_log = logging.getLogger("requests.packages.urllib3") + requests_log.setLevel(logging.WARNING) + requests_log.propagate = True + + args = parse.parse() + consul_host = args.consul_host + consul_port = args.consul_port + project_id = args.keystone_pid + + models.init(consul_host, consul_port) + policies.init(consul_host, consul_port) + pdp.init(consul_host, consul_port) + + if args.filename: + print("Loading: {}".format(args.filename[0])) + m = SourceFileLoader("scenario", args.filename[0]) + scenario = m.load_module() + + _models = models.check_model() + for _model_id, _model_value in _models['models'].items(): + if _model_value['name'] == scenario.model_name: + model_id = _model_id + meta_rule_list = _model_value['meta_rules'] + models.create_model(scenario, model_id) + break + else: + model_id, meta_rule_list = models.create_model(scenario) + policy_id = policies.create_policy(scenario, model_id, meta_rule_list) + pdp_id = pdp.create_pdp(scenario, policy_id=policy_id, project_id=project_id) diff --git a/tests/run_tests.py b/tests/run_tests.py deleted file mode 100755 index 2d96bef7..00000000 --- a/tests/run_tests.py +++ /dev/null @@ -1,186 +0,0 @@ -#!/usr/bin/python - -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the -# 'Apache-2.0'license which can be found in the file 'LICENSE' in this -# package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -import argparse -import functest.utils.functest_logger as ft_logger -import functest.utils.functest_utils as functest_utils -import os -import sys -import time -import yaml -import subprocess -import json -import requests -from requests.auth import HTTPBasicAuth -try: - import http.client as client -except ImportError: - import httplib as client -try: - # Python3 version - from urllib.request import urlopen, HTTPBasicAuthHandler, build_opener, install_opener -except ImportError: - # Python2 version - from urllib import urlopen - from urllib2 import HTTPBasicAuthHandler, build_opener, install_opener - - -PORT_ODL = 8181 -HOST_ODL = "localhost" - -parser = argparse.ArgumentParser() - -parser.add_argument("-r", "--report", - help="Create json result file", - action="store_true") -args = parser.parse_args() - -with open(os.environ["CONFIG_FUNCTEST_YAML"]) as f: - functest_yaml = yaml.safe_load(f) - -dirs = functest_yaml.get('general').get('directories') -TEST_DB_URL = functest_yaml.get('results').get('test_db_url') - -logger = ft_logger.Logger("moon").getLogger() - -RESULTS_DIR = \ - functest_utils.get_functest_config('general.directories.dir_results') - - -def __get_endpoint_url(name="keystone"): - proc = subprocess.Popen(["openstack", "endpoint", "show", - name, "-f", "yaml"], stdout=subprocess.PIPE) - y = yaml.load(proc.stdout.read()) - url = y['publicurl'] - url = url.replace("http://", "") - url = url.replace("https://", "") - host, port = url.split(":") - port = port.split("/")[0] - return host, port - - -def test_federation(): - - username = "test_fede" - password = "pass_fede" - - # Create a new user in OpenStack - proc = subprocess.Popen(["openstack", "user", "create", - "--password", password, username, "-f", - "yaml"], stdout=subprocess.PIPE) - logger.info("Create new user ({})".format(proc.stdout.read())) - - # Add the role admin to our new user - proc = subprocess.Popen(["openstack", "role", "add", "--project", - "admin", "--user", username, "admin", "-f", - "yaml"], stdout=subprocess.PIPE) - logger.info("Add the role admin to our new user ({})".format(proc.stdout.read())) - - # Add the sdn tenant - proc = subprocess.Popen(["openstack", "project", "create", "sdn", - "-f", "yaml"], stdout=subprocess.PIPE) - logger.info("Add the tenant sdn ({})".format(proc.stdout.read())) - - # Add the role admin to test_fede in tenant sdn - proc = subprocess.Popen(["openstack", "role", "add", "--project", - "sdn", "--user", username, "admin", "-f", - "yaml"], stdout=subprocess.PIPE) - logger.info("Add the role admin for the user test_fede in the tenant sdn ({})".format(proc.stdout.read())) - - # Retrieve Moon token - nhost, nport = __get_endpoint_url() - auth_data = {'username': username, 'password': password} - conn = client.HTTPConnection(nhost, nport) - headers = {"Content-type": "application/json"} - conn.request("POST", "/moon/auth/tokens", json.dumps(auth_data).encode('utf-8'), headers=headers) - resp = conn.getresponse() - if resp.status not in (200, 201, 202, 204): - return False, "Not able to retrieve Moon token on {}:{} (error code: {}).".format(nhost, nport, resp.status) - - # Test ODL auth - nhost, nport = __get_endpoint_url(name="neutron") - nport = "8181" - - # Test with basic login/pass - # auth = HTTPBasicAuth("admin", "console") - # req = requests.get(url='http://{host}:{port}/auth/v1/domains'.format(host=nhost, port=nport), auth=auth) - # code = req.status_code - # if code not in (200, 201, 202, 204): - # return False, "Not able to authenticate to ODL with admin (error code: {}).".format(code) - - auth = HTTPBasicAuth(username, password) - req = requests.get(url='http://{host}:{port}/auth/v1/domains'.format(host=nhost, port=nport), auth=auth) - code = req.status_code - if code not in (200, 201, 202, 204): - return False, "Not able to authenticate to ODL (error code: {}).".format(code) - return True, "" - - -def test_moon_openstack(): - log_filename = RESULTS_DIR + "/moonclient_selftest.log" - cmd = "moon test --password console --self --logfile {}".format(log_filename) - - ret_val = functest_utils.execute_command(cmd, - info=True, - exit_on_error=False, - output_file=log_filename) - - return ret_val, open(log_filename, "rt").read() - - -def main(): - start_time = time.time() - - result_os = test_moon_openstack() - result_odl = test_federation() - - stop_time = time.time() - duration = round(stop_time - start_time, 1) - if result_os[0] == 0 and result_odl[0]: - logger.info("OS MOON PASSED") - test_status = 'PASS' - else: - logger.info("OS MOON ERROR") - test_status = 'FAIL' - logger.info("Errors from OpenStack tests:") - logger.info(result_os[1]) - logger.info("Errors from Federation tests:") - logger.info(result_odl[1]) - - details = { - 'timestart': start_time, - 'duration': duration, - 'status': test_status, - 'results': { - 'openstack': result_os, - 'opendaylight': result_odl - } - } - - functest_utils.logger_test_results("moon", - "moon_authentication", - test_status, details) - if args.report: - functest_utils.push_results_to_db("moon", - "moon_authentication", - start_time, - stop_time, - test_status, - details) - logger.info("Moon results pushed to DB") - - if result_os[0] != 0 or not result_odl[0]: - return False - return True - - -if __name__ == '__main__': - ret = main() - if ret: - sys.exit(0) - sys.exit(1) diff --git a/tests/run_tests.sh b/tests/run_tests.sh deleted file mode 100755 index a86c9649..00000000 --- a/tests/run_tests.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bash - -if [ $# -eq 1 ]; then cd $1; fi - -# ========================================================== -# test for OpenStack/Moon API through moonclient cli - -python run_tests.py - -# ========================================================== -# test for OpenStack OpenDaylight identity federation - -# create tenant, user, and password in OpenStack/moon -# use the created tenant, user, password to access OpenDaylight diff --git a/tests/scenario/delegation.py b/tests/scenario/delegation.py new file mode 100644 index 00000000..839e74ce --- /dev/null +++ b/tests/scenario/delegation.py @@ -0,0 +1,40 @@ + +pdp_name = "pdp1" +policy_name = "Delegation policy example" +model_name = "Delegation" + +subjects = {"user0": "", } +objects = {"user1": "", } +actions = {"delegate": ""} + +subject_categories = {"subjectid": "", } +object_categories = {"delegated": "", } +action_categories = {"delegation-action": "", } + +subject_data = {"subjectid": {"user0": ""}} +object_data = {"delegated": {"user1": ""}} +action_data = {"delegation-action": {"delegate": ""}} + +subject_assignments = {"user0": {"subjectid": "user0"}} +object_assignments = {"user1": {"delegated": "user1"}} +action_assignments = {"delegate": {"delegation-action": "delegate"}} + +meta_rule = { + "session": {"id": "", "value": ("subjectid", "delegated", "delegation-action")}, +} + +rules = { + "session": ( + { + "rule": ("user0", "user1", "delegate"), + "instructions": ( + { + "update": {"request:subject": "user1"} # update the current user with "user1" + }, + {"chain": {"security_pipeline": "rbac"}} + ) + }, + ) +} + + diff --git a/tests/scenario/mls.py b/tests/scenario/mls.py new file mode 100644 index 00000000..3a3ded43 --- /dev/null +++ b/tests/scenario/mls.py @@ -0,0 +1,54 @@ + +pdp_name = "pdp1" +policy_name = "MLS Policy example" +model_name = "MLS" + +subjects = {"user0": "", "user1": "", "user2": "", } +objects = {"vm0": "", "vm1": "", } +actions = {"start": "", "stop": ""} + +subject_categories = {"subject-security-level": "", } +object_categories = {"object-security-level": "", } +action_categories = {"action-type": "", } + +subject_data = { + "subject-security-level": {"low": "", "medium": "", "high": ""}, +} +object_data = { + "object-security-level": {"low": "", "medium": "", "high": ""}, +} +action_data = {"action-type": {"vm-action": "", "storage-action": "", }} + +subject_assignments = { + "user0": {"subject-security-level": "high"}, + "user1": {"subject-security-level": "medium"}, +} +object_assignments = { + "vm0": {"object-security-level": "medium"}, + "vm1": {"object-security-level": "low"}, +} +action_assignments = { + "start": {"action-type": "vm-action"}, + "stop": {"action-type": "vm-action"} +} + +meta_rule = { + "mls": {"id": "", "value": ("subject-security-level", "object-security-level", "action-type")}, +} + +rules = { + "mls": ( + { + "rules": ("high", "medium", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + { + "rules": ("high", "low", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + { + "rules": ("medium", "low", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + ) +} diff --git a/tests/scenario/rbac.py b/tests/scenario/rbac.py new file mode 100644 index 00000000..89fd7de8 --- /dev/null +++ b/tests/scenario/rbac.py @@ -0,0 +1,44 @@ + +pdp_name = "pdp1" +policy_name = "RBAC policy example" +model_name = "RBAC" +policy_genre = "authz" + +subjects = {"user0": "", "user1": "", } +objects = {"vm0": "", "vm1": "", } +actions = {"start": "", "stop": ""} + +subject_categories = {"role": "", } +object_categories = {"id": "", } +action_categories = {"action-type": "", } + +subject_data = {"role": {"admin": "", "employee": "", "*": ""}} +object_data = {"id": {"vm0": "", "vm1": "", "*": ""}} +action_data = {"action-type": {"vm-action": "", "*": ""}} + +subject_assignments = {"user0": ({"role": "employee"}, {"role": "*"}), "user1": ({"role": "employee"}, {"role": "*"}), } +object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})} +action_assignments = {"start": ({"action-type": "vm-action"}, {"action-type": "*"}), "stop": ({"action-type": "vm-action"}, {"action-type": "*"})} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, +} + +rules = { + "rbac": ( + { + "rule": ("admin", "vm0", "vm-action"), + "instructions": ( + {"decision": "grant"}, # "grant" to immediately exit, "continue" to wait for the result of next policy + ) + }, + { + "rule": ("employee", "vm1", "vm-action"), + "instructions": ( + {"decision": "grant"}, + ) + }, + ) +} + + diff --git a/tests/scenario/rbac_custom_100.py b/tests/scenario/rbac_custom_100.py new file mode 100644 index 00000000..9ee55dbd --- /dev/null +++ b/tests/scenario/rbac_custom_100.py @@ -0,0 +1,89 @@ +import random + +pdp_name = "pdp_100" +policy_name = "RBAC policy example 100 users" +model_name = "RBAC" +policy_genre = "authz" + +SUBJECT_NUMBER = 100 +OBJECT_NUMBER = 100 +ROLE_NUMBER = 50 + +subjects = {} +for _id in range(SUBJECT_NUMBER): + subjects["user{}".format(_id)] = "" +objects = {} +for _id in range(OBJECT_NUMBER): + objects["vm{}".format(_id)] = "" +actions = { + "start": "", + "stop": "", + "pause": "", + "unpause": "", + "destroy": "", +} + +subject_categories = {"role": "", } +object_categories = {"id": "", } +action_categories = {"action-type": "", } + +subject_data = {"role": {"admin": "", "*": ""}} +for _id in range(ROLE_NUMBER): + subject_data["role"]["role{}".format(_id)] = "" +object_data = {"id": {"*": ""}} +for _id in range(OBJECT_NUMBER): + object_data["id"]["vm{}".format(_id)] = "" +action_data = {"action-type": { + "vm-read": "", + "vm-write": "", + "*": "" +}} + +subject_assignments = {} +for _id in range(SUBJECT_NUMBER): + _role = "role{}".format(random.randrange(ROLE_NUMBER)) + subject_assignments["user{}".format(_id)] = [{"role": _role}, {"role": "*"}] +object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})} +for _id in range(OBJECT_NUMBER): + object_assignments["vm{}".format(_id)] = [{"id": "vm{}".format(_id)}, {"id": "*"}] +action_assignments = { + "start": ({"action-type": "vm-write"}, {"action-type": "*"}), + "stop": ({"action-type": "vm-write"}, {"action-type": "*"}), + "pause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}), +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, +} + +rules = { + "rbac": [ + { + "rule": ("admin", "vm0", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("admin", "vm0", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + ] +} + +for _id in range(SUBJECT_NUMBER): + _role = "role{}".format(random.randrange(ROLE_NUMBER)) + _vm = "vm{}".format(random.randrange(OBJECT_NUMBER)) + _action = random.choice(list(action_data['action-type'].keys())) + rules["rbac"].append( + { + "rule": (_role, _vm, _action), + "instructions": ( + {"decision": "grant"}, + ) + }, + ) diff --git a/tests/scenario/rbac_custom_1000.py b/tests/scenario/rbac_custom_1000.py new file mode 100644 index 00000000..d6850485 --- /dev/null +++ b/tests/scenario/rbac_custom_1000.py @@ -0,0 +1,89 @@ +import random + +pdp_name = "pdp_1000" +policy_name = "RBAC policy example 1000 users" +model_name = "RBAC" +policy_genre = "authz" + +SUBJECT_NUMBER = 1000 +OBJECT_NUMBER = 500 +ROLE_NUMBER = 50 + +subjects = {} +for _id in range(SUBJECT_NUMBER): + subjects["user{}".format(_id)] = "" +objects = {} +for _id in range(OBJECT_NUMBER): + objects["vm{}".format(_id)] = "" +actions = { + "start": "", + "stop": "", + "pause": "", + "unpause": "", + "destroy": "", +} + +subject_categories = {"role": "", } +object_categories = {"id": "", } +action_categories = {"action-type": "", } + +subject_data = {"role": {"admin": "", "*": ""}} +for _id in range(ROLE_NUMBER): + subject_data["role"]["role{}".format(_id)] = "" +object_data = {"id": {"*": ""}} +for _id in range(OBJECT_NUMBER): + object_data["id"]["vm{}".format(_id)] = "" +action_data = {"action-type": { + "vm-read": "", + "vm-write": "", + "*": "" +}} + +subject_assignments = {} +for _id in range(SUBJECT_NUMBER): + _role = "role{}".format(random.randrange(ROLE_NUMBER)) + subject_assignments["user{}".format(_id)] = [{"role": _role}, {"role": "*"}] +object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})} +for _id in range(OBJECT_NUMBER): + object_assignments["vm{}".format(_id)] = [{"id": "vm{}".format(_id)}, {"id": "*"}] +action_assignments = { + "start": ({"action-type": "vm-write"}, {"action-type": "*"}), + "stop": ({"action-type": "vm-write"}, {"action-type": "*"}), + "pause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}), +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, +} + +rules = { + "rbac": [ + { + "rule": ("admin", "vm0", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("admin", "vm0", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + ] +} + +for _id in range(SUBJECT_NUMBER): + _role = "role{}".format(random.randrange(ROLE_NUMBER)) + _vm = "vm{}".format(random.randrange(OBJECT_NUMBER)) + _action = random.choice(list(action_data['action-type'].keys())) + rules["rbac"].append( + { + "rule": (_role, _vm, _action), + "instructions": ( + {"decision": "grant"}, + ) + }, + ) diff --git a/tests/scenario/rbac_custom_50.py b/tests/scenario/rbac_custom_50.py new file mode 100644 index 00000000..e1437cf4 --- /dev/null +++ b/tests/scenario/rbac_custom_50.py @@ -0,0 +1,89 @@ +import random + +pdp_name = "pdp_50" +policy_name = "RBAC policy example 50 users" +model_name = "RBAC" +policy_genre = "authz" + +SUBJECT_NUMBER = 50 +OBJECT_NUMBER = 50 +ROLE_NUMBER = 10 + +subjects = {} +for _id in range(SUBJECT_NUMBER): + subjects["user{}".format(_id)] = "" +objects = {} +for _id in range(OBJECT_NUMBER): + objects["vm{}".format(_id)] = "" +actions = { + "start": "", + "stop": "", + "pause": "", + "unpause": "", + "destroy": "", +} + +subject_categories = {"role": "", } +object_categories = {"id": "", } +action_categories = {"action-type": "", } + +subject_data = {"role": {"admin": "", "*": ""}} +for _id in range(ROLE_NUMBER): + subject_data["role"]["role{}".format(_id)] = "" +object_data = {"id": {"*": ""}} +for _id in range(OBJECT_NUMBER): + object_data["id"]["vm{}".format(_id)] = "" +action_data = {"action-type": { + "vm-read": "", + "vm-write": "", + "*": "" +}} + +subject_assignments = {} +for _id in range(SUBJECT_NUMBER): + _role = "role{}".format(random.randrange(ROLE_NUMBER)) + subject_assignments["user{}".format(_id)] = [{"role": _role}, {"role": "*"}] +object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})} +for _id in range(OBJECT_NUMBER): + object_assignments["vm{}".format(_id)] = [{"id": "vm{}".format(_id)}, {"id": "*"}] +action_assignments = { + "start": ({"action-type": "vm-write"}, {"action-type": "*"}), + "stop": ({"action-type": "vm-write"}, {"action-type": "*"}), + "pause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}), +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, +} + +rules = { + "rbac": [ + { + "rule": ("admin", "vm0", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("admin", "vm0", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + ] +} + +for _id in range(SUBJECT_NUMBER): + _role = "role{}".format(random.randrange(ROLE_NUMBER)) + _vm = "vm{}".format(random.randrange(OBJECT_NUMBER)) + _action = random.choice(list(action_data['action-type'].keys())) + rules["rbac"].append( + { + "rule": (_role, _vm, _action), + "instructions": ( + {"decision": "grant"}, + ) + }, + ) diff --git a/tests/scenario/rbac_large.py b/tests/scenario/rbac_large.py new file mode 100644 index 00000000..ef5dd9b2 --- /dev/null +++ b/tests/scenario/rbac_large.py @@ -0,0 +1,233 @@ + +pdp_name = "pdp1" +policy_name = "RBAC policy example" +model_name = "RBAC" +policy_genre = "authz" + +subjects = { + "user0": "", + "user1": "", + "user2": "", + "user3": "", + "user4": "", + "user5": "", + "user6": "", + "user7": "", + "user8": "", + "user9": "", +} +objects = { + "vm0": "", + "vm1": "", + "vm2": "", + "vm3": "", + "vm4": "", + "vm5": "", + "vm6": "", + "vm7": "", + "vm8": "", + "vm9": "", +} +actions = { + "start": "", + "stop": "", + "pause": "", + "unpause": "", + "destroy": "", +} + +subject_categories = {"role": "", } +object_categories = {"id": "", } +action_categories = {"action-type": "", } + +subject_data = {"role": { + "admin": "", + "employee": "", + "dev1": "", + "dev2": "", + "*": "" +}} +object_data = {"id": { + "vm0": "", + "vm1": "", + "vm2": "", + "vm3": "", + "vm4": "", + "vm5": "", + "vm6": "", + "vm7": "", + "vm8": "", + "vm9": "", + "*": "" +}} +action_data = {"action-type": { + "vm-read": "", + "vm-write": "", + "*": "" +}} + +subject_assignments = { + "user0": ({"role": "employee"}, {"role": "*"}), + "user1": ({"role": "employee"}, {"role": "*"}), + "user2": ({"role": "dev1"}, {"role": "*"}), + "user3": ({"role": "dev1"}, {"role": "*"}), + "user4": ({"role": "dev1"}, {"role": "*"}), + "user5": ({"role": "dev1"}, {"role": "*"}), + "user6": ({"role": "dev2"}, {"role": "*"}), + "user7": ({"role": "dev2"}, {"role": "*"}), + "user8": ({"role": "dev2"}, {"role": "*"}), + "user9": ({"role": "dev2"}, {"role": "*"}), +} +object_assignments = { + "vm0": ({"id": "vm0"}, {"id": "*"}), + "vm1": ({"id": "vm1"}, {"id": "*"}), + "vm2": ({"id": "vm2"}, {"id": "*"}), + "vm3": ({"id": "vm3"}, {"id": "*"}), + "vm4": ({"id": "vm4"}, {"id": "*"}), + "vm5": ({"id": "vm5"}, {"id": "*"}), + "vm6": ({"id": "vm6"}, {"id": "*"}), + "vm7": ({"id": "vm7"}, {"id": "*"}), + "vm8": ({"id": "vm8"}, {"id": "*"}), + "vm9": ({"id": "vm9"}, {"id": "*"}), +} +action_assignments = { + "start": ({"action-type": "vm-write"}, {"action-type": "*"}), + "stop": ({"action-type": "vm-write"}, {"action-type": "*"}), + "pause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}), +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, +} + +rules = { + "rbac": ( + { + "rule": ("admin", "vm0", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("admin", "vm0", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + # Rules for grant all employee to do read actions to all VM except vm0 + { + "rule": ("employee", "vm1", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm2", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm3", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm4", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm5", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm6", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm7", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm8", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm9", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + # Rules for grant all dev1 to do read actions to some VM + { + "rule": ("dev1", "vm1", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev1", "vm2", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev1", "vm3", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev1", "vm4", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + # Rules for grant all dev2 to do read actions to some VM + { + "rule": ("dev2", "vm5", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev2", "vm6", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev2", "vm7", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev2", "vm8", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev2", "vm9", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + ) +} + + diff --git a/tests/scenario/rbac_mls.py b/tests/scenario/rbac_mls.py new file mode 100644 index 00000000..8a5362ea --- /dev/null +++ b/tests/scenario/rbac_mls.py @@ -0,0 +1,50 @@ + +pdp_name = "pdp1" +policy_name = "Multi policy example" +model_name = "RBAC" + +subjects = {"user0": "", "user1": "", "user2": "", } +objects = {"vm0": "", "vm1": "", } +actions = {"start": "", "stop": ""} + +subject_categories = {"role": "", "subject-security-level": "", } +object_categories = {"id": "", "object-security-level": "", } +action_categories = {"action-type": "", } + +subject_data = { + "role": {"admin": "", "employee": ""}, + "subject-security-level": {"low": "", "medium": "", "high": ""}, +} +object_data = { + "id": {"vm1": "", "vm2": ""}, + "object-security-level": {"low": "", "medium": "", "high": ""}, +} +action_data = {"action-type": {"vm-action": "", "storage-action": "", }} + +subject_assignments = { + "user0": {"role": "admin", "subject-security-level": "high"}, + "user1": {"role": "employee", "subject-security-level": "medium"}, +} +object_assignments = { + "vm0": {"id": "vm1", "object-security-level": "medium"}, + "vm1": {"id": "vm2", "object-security-level": "low"}, +} +action_assignments = { + "start": {"action-type": "vm-action"}, + "stop": {"action-type": "vm-action"} +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, + "mls": {"id": "", "value": ("subject-security-level", "object-security-level", "action-type")}, +} + +rules = { + "rbac": ( + ("admin", "vm1", "vm-action"), + ), + "mls": ( + ("high", "medium", "vm-action"), + ("medium", "low", "vm-action"), + ) +} diff --git a/tests/scenario/session.py b/tests/scenario/session.py new file mode 100644 index 00000000..97d7aec3 --- /dev/null +++ b/tests/scenario/session.py @@ -0,0 +1,60 @@ + +pdp_name = "pdp1" +policy_name = "Session policy example" +model_name = "Session" +policy_genre = "session" + +subjects = {"user0": "", "user1": "", } +objects = {"admin": "", "employee": "", } +actions = {"activate": "", "deactivate": ""} + +subject_categories = {"subjectid": "", } +object_categories = {"role": "", } +action_categories = {"session-action": "", } + +subject_data = {"subjectid": {"user0": "", "user1": ""}} +object_data = {"role": {"admin": "", "employee": "", "*": ""}} +action_data = {"session-action": {"activate": "", "deactivate": "", "*": ""}} + +subject_assignments = {"user0": ({"subjectid": "user0"}, ), "user1": ({"subjectid": "user1"}, ), } +object_assignments = {"admin": ({"role": "admin"}, {"role": "*"}), + "employee": ({"role": "employee"}, {"role": "employee"}) + } +action_assignments = {"activate": ({"session-action": "activate"}, {"session-action": "*"}, ), + "deactivate": ({"session-action": "deactivate"}, {"session-action": "*"}, ) + } + +meta_rule = { + "session": {"id": "", "value": ("subjectid", "role", "session-action")}, +} + +rules = { + "session": ( + { + "rule": ("user0", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user1", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "delete", + "target": "rbac:role:employee" # delete the role employee from the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + ) +} + + diff --git a/tests/scenario/session_large.py b/tests/scenario/session_large.py new file mode 100644 index 00000000..5b4a64b6 --- /dev/null +++ b/tests/scenario/session_large.py @@ -0,0 +1,389 @@ + +pdp_name = "pdp1" +policy_name = "Session policy example" +model_name = "Session" +policy_genre = "session" + +subjects = { + "user0": "", + "user1": "", + "user2": "", + "user3": "", + "user4": "", + "user5": "", + "user6": "", + "user7": "", + "user8": "", + "user9": "", +} +objects = {"admin": "", "employee": "", "dev1": "", "dev2": "", } +actions = {"activate": "", "deactivate": ""} + +subject_categories = {"subjectid": "", } +object_categories = {"role": "", } +action_categories = {"session-action": "", } + +subject_data = {"subjectid": { + "user0": "", + "user1": "", + "user2": "", + "user3": "", + "user4": "", + "user5": "", + "user6": "", + "user7": "", + "user8": "", + "user9": "", +}} +object_data = {"role": { + "admin": "", + "employee": "", + "dev1": "", + "dev2": "", + "*": "" +}} +action_data = {"session-action": {"activate": "", "deactivate": "", "*": ""}} + +subject_assignments = { + "user0": ({"subjectid": "user0"}, ), + "user1": ({"subjectid": "user1"}, ), + "user2": ({"subjectid": "user2"}, ), + "user3": ({"subjectid": "user3"}, ), + "user4": ({"subjectid": "user4"}, ), + "user5": ({"subjectid": "user5"}, ), + "user6": ({"subjectid": "user6"}, ), + "user7": ({"subjectid": "user7"}, ), + "user8": ({"subjectid": "user8"}, ), + "user9": ({"subjectid": "user9"}, ), +} +object_assignments = {"admin": ({"role": "admin"}, {"role": "*"}), + "employee": ({"role": "employee"}, {"role": "*"}), + "dev1": ({"role": "employee"}, {"role": "dev1"}, {"role": "*"}), + "dev2": ({"role": "employee"}, {"role": "dev2"}, {"role": "*"}), + } +action_assignments = {"activate": ({"session-action": "activate"}, {"session-action": "*"}, ), + "deactivate": ({"session-action": "deactivate"}, {"session-action": "*"}, ) + } + +meta_rule = { + "session": {"id": "", "value": ("subjectid", "role", "session-action")}, +} + +rules = { + "session": ( + { + "rule": ("user0", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user1", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "delete", + "target": "rbac:role:employee" # delete the role employee from the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user2", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user2", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user2", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user3", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user3", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user3", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user4", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user4", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user4", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user5", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user5", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user5", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user6", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user6", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user6", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user7", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user7", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user7", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user8", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user8", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user8", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user9", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user9", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user9", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + ) +} + + diff --git a/tests/send_authz.py b/tests/send_authz.py new file mode 100644 index 00000000..b4ed1d2f --- /dev/null +++ b/tests/send_authz.py @@ -0,0 +1,32 @@ +from importlib.machinery import SourceFileLoader +from python_moonclient import config, parse, models, policies, pdp, authz + + +if __name__ == "__main__": + args = parse.parse() + consul_host = args.consul_host + consul_port = args.consul_port + + models.init(consul_host, consul_port) + policies.init(consul_host, consul_port) + pdp.init(consul_host, consul_port) + + if args.filename: + print("Loading: {}".format(args.filename[0])) + m = SourceFileLoader("scenario", args.filename[0]) + scenario = m.load_module() + + keystone_project_id = pdp.get_keystone_id(args.pdp) + time_data = authz.send_requests( + scenario, + args.authz_host, + args.authz_port, + keystone_project_id, + request_second=args.request_second, + limit=args.limit, + dry_run=args.dry_run, + stress_test=args.stress_test, + destination=args.destination + ) + if not args.dry_run: + authz.save_data(args.write, time_data) -- cgit 1.2.3-korg