From 69910cdd22ec3b27f3e1f608b317f9683de1dcf6 Mon Sep 17 00:00:00 2001 From: RHE Date: Tue, 26 Dec 2017 15:38:11 +0100 Subject: moon kubernetes review Change-Id: I49a62f18ac6ecd06cdbc8e51b4e8ba00971ce6aa Signed-off-by: RHE --- tests/functional/get_keystone_projects.py | 16 - tests/functional/populate_default_values.py | 37 -- tests/functional/scenario/delegation.py | 40 --- tests/functional/scenario/mls.py | 54 --- tests/functional/scenario/rbac.py | 44 --- tests/functional/scenario/rbac_custom_100.py | 89 ----- tests/functional/scenario/rbac_custom_1000.py | 89 ----- tests/functional/scenario/rbac_custom_50.py | 89 ----- tests/functional/scenario/rbac_large.py | 233 ------------ tests/functional/scenario/rbac_mls.py | 50 --- tests/functional/scenario/session.py | 60 ---- tests/functional/scenario/session_large.py | 389 --------------------- tests/functional/scenario_available/delegation.py | 40 +++ tests/functional/scenario_available/mls.py | 59 ++++ tests/functional/scenario_available/rbac.py | 61 ++++ .../scenario_available/rbac_custom_100.py | 89 +++++ .../scenario_available/rbac_custom_1000.py | 89 +++++ .../scenario_available/rbac_custom_50.py | 89 +++++ tests/functional/scenario_available/rbac_large.py | 233 ++++++++++++ tests/functional/scenario_available/rbac_mls.py | 50 +++ tests/functional/scenario_available/session.py | 60 ++++ .../functional/scenario_available/session_large.py | 389 +++++++++++++++++++++ tests/functional/scenario_enabled/mls.py | 1 + tests/functional/scenario_enabled/rbac.py | 1 + tests/functional/send_authz.py | 32 -- 25 files changed, 1161 insertions(+), 1222 deletions(-) delete mode 100644 tests/functional/get_keystone_projects.py delete mode 100644 tests/functional/populate_default_values.py delete mode 100644 tests/functional/scenario/delegation.py delete mode 100644 tests/functional/scenario/mls.py delete mode 100644 tests/functional/scenario/rbac.py delete mode 100644 tests/functional/scenario/rbac_custom_100.py delete mode 100644 tests/functional/scenario/rbac_custom_1000.py delete mode 100644 tests/functional/scenario/rbac_custom_50.py delete mode 100644 tests/functional/scenario/rbac_large.py delete mode 100644 tests/functional/scenario/rbac_mls.py delete mode 100644 tests/functional/scenario/session.py delete mode 100644 tests/functional/scenario/session_large.py create mode 100644 tests/functional/scenario_available/delegation.py create mode 100644 tests/functional/scenario_available/mls.py create mode 100644 tests/functional/scenario_available/rbac.py create mode 100644 tests/functional/scenario_available/rbac_custom_100.py create mode 100644 tests/functional/scenario_available/rbac_custom_1000.py create mode 100644 tests/functional/scenario_available/rbac_custom_50.py create mode 100644 tests/functional/scenario_available/rbac_large.py create mode 100644 tests/functional/scenario_available/rbac_mls.py create mode 100644 tests/functional/scenario_available/session.py create mode 100644 tests/functional/scenario_available/session_large.py create mode 120000 tests/functional/scenario_enabled/mls.py create mode 120000 tests/functional/scenario_enabled/rbac.py delete mode 100644 tests/functional/send_authz.py (limited to 'tests') diff --git a/tests/functional/get_keystone_projects.py b/tests/functional/get_keystone_projects.py deleted file mode 100644 index 9b5d87cd..00000000 --- a/tests/functional/get_keystone_projects.py +++ /dev/null @@ -1,16 +0,0 @@ -from python_moonclient import parse, models, policies, pdp - - -if __name__ == "__main__": - args = parse.parse() - consul_host = args.consul_host - consul_port = args.consul_port - - models.init(consul_host, consul_port) - policies.init(consul_host, consul_port) - pdp.init(consul_host, consul_port) - - projects = pdp.get_keystone_projects() - - for _project in projects['projects']: - print("{} {}".format(_project['id'], _project['name'])) diff --git a/tests/functional/populate_default_values.py b/tests/functional/populate_default_values.py deleted file mode 100644 index d5a5769b..00000000 --- a/tests/functional/populate_default_values.py +++ /dev/null @@ -1,37 +0,0 @@ -import logging -from importlib.machinery import SourceFileLoader -from python_moonclient import parse, models, policies, pdp - -logger = logging.getLogger("moonforming") - - -if __name__ == "__main__": - requests_log = logging.getLogger("requests.packages.urllib3") - requests_log.setLevel(logging.WARNING) - requests_log.propagate = True - - args = parse.parse() - consul_host = args.consul_host - consul_port = args.consul_port - project_id = args.keystone_pid - - models.init(consul_host, consul_port) - policies.init(consul_host, consul_port) - pdp.init(consul_host, consul_port) - - if args.filename: - print("Loading: {}".format(args.filename[0])) - m = SourceFileLoader("scenario", args.filename[0]) - scenario = m.load_module() - - _models = models.check_model() - for _model_id, _model_value in _models['models'].items(): - if _model_value['name'] == scenario.model_name: - model_id = _model_id - meta_rule_list = _model_value['meta_rules'] - models.create_model(scenario, model_id) - break - else: - model_id, meta_rule_list = models.create_model(scenario) - policy_id = policies.create_policy(scenario, model_id, meta_rule_list) - pdp_id = pdp.create_pdp(scenario, policy_id=policy_id, project_id=project_id) diff --git a/tests/functional/scenario/delegation.py b/tests/functional/scenario/delegation.py deleted file mode 100644 index 839e74ce..00000000 --- a/tests/functional/scenario/delegation.py +++ /dev/null @@ -1,40 +0,0 @@ - -pdp_name = "pdp1" -policy_name = "Delegation policy example" -model_name = "Delegation" - -subjects = {"user0": "", } -objects = {"user1": "", } -actions = {"delegate": ""} - -subject_categories = {"subjectid": "", } -object_categories = {"delegated": "", } -action_categories = {"delegation-action": "", } - -subject_data = {"subjectid": {"user0": ""}} -object_data = {"delegated": {"user1": ""}} -action_data = {"delegation-action": {"delegate": ""}} - -subject_assignments = {"user0": {"subjectid": "user0"}} -object_assignments = {"user1": {"delegated": "user1"}} -action_assignments = {"delegate": {"delegation-action": "delegate"}} - -meta_rule = { - "session": {"id": "", "value": ("subjectid", "delegated", "delegation-action")}, -} - -rules = { - "session": ( - { - "rule": ("user0", "user1", "delegate"), - "instructions": ( - { - "update": {"request:subject": "user1"} # update the current user with "user1" - }, - {"chain": {"security_pipeline": "rbac"}} - ) - }, - ) -} - - diff --git a/tests/functional/scenario/mls.py b/tests/functional/scenario/mls.py deleted file mode 100644 index 3a3ded43..00000000 --- a/tests/functional/scenario/mls.py +++ /dev/null @@ -1,54 +0,0 @@ - -pdp_name = "pdp1" -policy_name = "MLS Policy example" -model_name = "MLS" - -subjects = {"user0": "", "user1": "", "user2": "", } -objects = {"vm0": "", "vm1": "", } -actions = {"start": "", "stop": ""} - -subject_categories = {"subject-security-level": "", } -object_categories = {"object-security-level": "", } -action_categories = {"action-type": "", } - -subject_data = { - "subject-security-level": {"low": "", "medium": "", "high": ""}, -} -object_data = { - "object-security-level": {"low": "", "medium": "", "high": ""}, -} -action_data = {"action-type": {"vm-action": "", "storage-action": "", }} - -subject_assignments = { - "user0": {"subject-security-level": "high"}, - "user1": {"subject-security-level": "medium"}, -} -object_assignments = { - "vm0": {"object-security-level": "medium"}, - "vm1": {"object-security-level": "low"}, -} -action_assignments = { - "start": {"action-type": "vm-action"}, - "stop": {"action-type": "vm-action"} -} - -meta_rule = { - "mls": {"id": "", "value": ("subject-security-level", "object-security-level", "action-type")}, -} - -rules = { - "mls": ( - { - "rules": ("high", "medium", "vm-action"), - "instructions": ({"decision": "grant"}) - }, - { - "rules": ("high", "low", "vm-action"), - "instructions": ({"decision": "grant"}) - }, - { - "rules": ("medium", "low", "vm-action"), - "instructions": ({"decision": "grant"}) - }, - ) -} diff --git a/tests/functional/scenario/rbac.py b/tests/functional/scenario/rbac.py deleted file mode 100644 index 89fd7de8..00000000 --- a/tests/functional/scenario/rbac.py +++ /dev/null @@ -1,44 +0,0 @@ - -pdp_name = "pdp1" -policy_name = "RBAC policy example" -model_name = "RBAC" -policy_genre = "authz" - -subjects = {"user0": "", "user1": "", } -objects = {"vm0": "", "vm1": "", } -actions = {"start": "", "stop": ""} - -subject_categories = {"role": "", } -object_categories = {"id": "", } -action_categories = {"action-type": "", } - -subject_data = {"role": {"admin": "", "employee": "", "*": ""}} -object_data = {"id": {"vm0": "", "vm1": "", "*": ""}} -action_data = {"action-type": {"vm-action": "", "*": ""}} - -subject_assignments = {"user0": ({"role": "employee"}, {"role": "*"}), "user1": ({"role": "employee"}, {"role": "*"}), } -object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})} -action_assignments = {"start": ({"action-type": "vm-action"}, {"action-type": "*"}), "stop": ({"action-type": "vm-action"}, {"action-type": "*"})} - -meta_rule = { - "rbac": {"id": "", "value": ("role", "id", "action-type")}, -} - -rules = { - "rbac": ( - { - "rule": ("admin", "vm0", "vm-action"), - "instructions": ( - {"decision": "grant"}, # "grant" to immediately exit, "continue" to wait for the result of next policy - ) - }, - { - "rule": ("employee", "vm1", "vm-action"), - "instructions": ( - {"decision": "grant"}, - ) - }, - ) -} - - diff --git a/tests/functional/scenario/rbac_custom_100.py b/tests/functional/scenario/rbac_custom_100.py deleted file mode 100644 index 9ee55dbd..00000000 --- a/tests/functional/scenario/rbac_custom_100.py +++ /dev/null @@ -1,89 +0,0 @@ -import random - -pdp_name = "pdp_100" -policy_name = "RBAC policy example 100 users" -model_name = "RBAC" -policy_genre = "authz" - -SUBJECT_NUMBER = 100 -OBJECT_NUMBER = 100 -ROLE_NUMBER = 50 - -subjects = {} -for _id in range(SUBJECT_NUMBER): - subjects["user{}".format(_id)] = "" -objects = {} -for _id in range(OBJECT_NUMBER): - objects["vm{}".format(_id)] = "" -actions = { - "start": "", - "stop": "", - "pause": "", - "unpause": "", - "destroy": "", -} - -subject_categories = {"role": "", } -object_categories = {"id": "", } -action_categories = {"action-type": "", } - -subject_data = {"role": {"admin": "", "*": ""}} -for _id in range(ROLE_NUMBER): - subject_data["role"]["role{}".format(_id)] = "" -object_data = {"id": {"*": ""}} -for _id in range(OBJECT_NUMBER): - object_data["id"]["vm{}".format(_id)] = "" -action_data = {"action-type": { - "vm-read": "", - "vm-write": "", - "*": "" -}} - -subject_assignments = {} -for _id in range(SUBJECT_NUMBER): - _role = "role{}".format(random.randrange(ROLE_NUMBER)) - subject_assignments["user{}".format(_id)] = [{"role": _role}, {"role": "*"}] -object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})} -for _id in range(OBJECT_NUMBER): - object_assignments["vm{}".format(_id)] = [{"id": "vm{}".format(_id)}, {"id": "*"}] -action_assignments = { - "start": ({"action-type": "vm-write"}, {"action-type": "*"}), - "stop": ({"action-type": "vm-write"}, {"action-type": "*"}), - "pause": ({"action-type": "vm-read"}, {"action-type": "*"}), - "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}), - "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}), -} - -meta_rule = { - "rbac": {"id": "", "value": ("role", "id", "action-type")}, -} - -rules = { - "rbac": [ - { - "rule": ("admin", "vm0", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("admin", "vm0", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - ] -} - -for _id in range(SUBJECT_NUMBER): - _role = "role{}".format(random.randrange(ROLE_NUMBER)) - _vm = "vm{}".format(random.randrange(OBJECT_NUMBER)) - _action = random.choice(list(action_data['action-type'].keys())) - rules["rbac"].append( - { - "rule": (_role, _vm, _action), - "instructions": ( - {"decision": "grant"}, - ) - }, - ) diff --git a/tests/functional/scenario/rbac_custom_1000.py b/tests/functional/scenario/rbac_custom_1000.py deleted file mode 100644 index d6850485..00000000 --- a/tests/functional/scenario/rbac_custom_1000.py +++ /dev/null @@ -1,89 +0,0 @@ -import random - -pdp_name = "pdp_1000" -policy_name = "RBAC policy example 1000 users" -model_name = "RBAC" -policy_genre = "authz" - -SUBJECT_NUMBER = 1000 -OBJECT_NUMBER = 500 -ROLE_NUMBER = 50 - -subjects = {} -for _id in range(SUBJECT_NUMBER): - subjects["user{}".format(_id)] = "" -objects = {} -for _id in range(OBJECT_NUMBER): - objects["vm{}".format(_id)] = "" -actions = { - "start": "", - "stop": "", - "pause": "", - "unpause": "", - "destroy": "", -} - -subject_categories = {"role": "", } -object_categories = {"id": "", } -action_categories = {"action-type": "", } - -subject_data = {"role": {"admin": "", "*": ""}} -for _id in range(ROLE_NUMBER): - subject_data["role"]["role{}".format(_id)] = "" -object_data = {"id": {"*": ""}} -for _id in range(OBJECT_NUMBER): - object_data["id"]["vm{}".format(_id)] = "" -action_data = {"action-type": { - "vm-read": "", - "vm-write": "", - "*": "" -}} - -subject_assignments = {} -for _id in range(SUBJECT_NUMBER): - _role = "role{}".format(random.randrange(ROLE_NUMBER)) - subject_assignments["user{}".format(_id)] = [{"role": _role}, {"role": "*"}] -object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})} -for _id in range(OBJECT_NUMBER): - object_assignments["vm{}".format(_id)] = [{"id": "vm{}".format(_id)}, {"id": "*"}] -action_assignments = { - "start": ({"action-type": "vm-write"}, {"action-type": "*"}), - "stop": ({"action-type": "vm-write"}, {"action-type": "*"}), - "pause": ({"action-type": "vm-read"}, {"action-type": "*"}), - "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}), - "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}), -} - -meta_rule = { - "rbac": {"id": "", "value": ("role", "id", "action-type")}, -} - -rules = { - "rbac": [ - { - "rule": ("admin", "vm0", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("admin", "vm0", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - ] -} - -for _id in range(SUBJECT_NUMBER): - _role = "role{}".format(random.randrange(ROLE_NUMBER)) - _vm = "vm{}".format(random.randrange(OBJECT_NUMBER)) - _action = random.choice(list(action_data['action-type'].keys())) - rules["rbac"].append( - { - "rule": (_role, _vm, _action), - "instructions": ( - {"decision": "grant"}, - ) - }, - ) diff --git a/tests/functional/scenario/rbac_custom_50.py b/tests/functional/scenario/rbac_custom_50.py deleted file mode 100644 index e1437cf4..00000000 --- a/tests/functional/scenario/rbac_custom_50.py +++ /dev/null @@ -1,89 +0,0 @@ -import random - -pdp_name = "pdp_50" -policy_name = "RBAC policy example 50 users" -model_name = "RBAC" -policy_genre = "authz" - -SUBJECT_NUMBER = 50 -OBJECT_NUMBER = 50 -ROLE_NUMBER = 10 - -subjects = {} -for _id in range(SUBJECT_NUMBER): - subjects["user{}".format(_id)] = "" -objects = {} -for _id in range(OBJECT_NUMBER): - objects["vm{}".format(_id)] = "" -actions = { - "start": "", - "stop": "", - "pause": "", - "unpause": "", - "destroy": "", -} - -subject_categories = {"role": "", } -object_categories = {"id": "", } -action_categories = {"action-type": "", } - -subject_data = {"role": {"admin": "", "*": ""}} -for _id in range(ROLE_NUMBER): - subject_data["role"]["role{}".format(_id)] = "" -object_data = {"id": {"*": ""}} -for _id in range(OBJECT_NUMBER): - object_data["id"]["vm{}".format(_id)] = "" -action_data = {"action-type": { - "vm-read": "", - "vm-write": "", - "*": "" -}} - -subject_assignments = {} -for _id in range(SUBJECT_NUMBER): - _role = "role{}".format(random.randrange(ROLE_NUMBER)) - subject_assignments["user{}".format(_id)] = [{"role": _role}, {"role": "*"}] -object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})} -for _id in range(OBJECT_NUMBER): - object_assignments["vm{}".format(_id)] = [{"id": "vm{}".format(_id)}, {"id": "*"}] -action_assignments = { - "start": ({"action-type": "vm-write"}, {"action-type": "*"}), - "stop": ({"action-type": "vm-write"}, {"action-type": "*"}), - "pause": ({"action-type": "vm-read"}, {"action-type": "*"}), - "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}), - "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}), -} - -meta_rule = { - "rbac": {"id": "", "value": ("role", "id", "action-type")}, -} - -rules = { - "rbac": [ - { - "rule": ("admin", "vm0", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("admin", "vm0", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - ] -} - -for _id in range(SUBJECT_NUMBER): - _role = "role{}".format(random.randrange(ROLE_NUMBER)) - _vm = "vm{}".format(random.randrange(OBJECT_NUMBER)) - _action = random.choice(list(action_data['action-type'].keys())) - rules["rbac"].append( - { - "rule": (_role, _vm, _action), - "instructions": ( - {"decision": "grant"}, - ) - }, - ) diff --git a/tests/functional/scenario/rbac_large.py b/tests/functional/scenario/rbac_large.py deleted file mode 100644 index ef5dd9b2..00000000 --- a/tests/functional/scenario/rbac_large.py +++ /dev/null @@ -1,233 +0,0 @@ - -pdp_name = "pdp1" -policy_name = "RBAC policy example" -model_name = "RBAC" -policy_genre = "authz" - -subjects = { - "user0": "", - "user1": "", - "user2": "", - "user3": "", - "user4": "", - "user5": "", - "user6": "", - "user7": "", - "user8": "", - "user9": "", -} -objects = { - "vm0": "", - "vm1": "", - "vm2": "", - "vm3": "", - "vm4": "", - "vm5": "", - "vm6": "", - "vm7": "", - "vm8": "", - "vm9": "", -} -actions = { - "start": "", - "stop": "", - "pause": "", - "unpause": "", - "destroy": "", -} - -subject_categories = {"role": "", } -object_categories = {"id": "", } -action_categories = {"action-type": "", } - -subject_data = {"role": { - "admin": "", - "employee": "", - "dev1": "", - "dev2": "", - "*": "" -}} -object_data = {"id": { - "vm0": "", - "vm1": "", - "vm2": "", - "vm3": "", - "vm4": "", - "vm5": "", - "vm6": "", - "vm7": "", - "vm8": "", - "vm9": "", - "*": "" -}} -action_data = {"action-type": { - "vm-read": "", - "vm-write": "", - "*": "" -}} - -subject_assignments = { - "user0": ({"role": "employee"}, {"role": "*"}), - "user1": ({"role": "employee"}, {"role": "*"}), - "user2": ({"role": "dev1"}, {"role": "*"}), - "user3": ({"role": "dev1"}, {"role": "*"}), - "user4": ({"role": "dev1"}, {"role": "*"}), - "user5": ({"role": "dev1"}, {"role": "*"}), - "user6": ({"role": "dev2"}, {"role": "*"}), - "user7": ({"role": "dev2"}, {"role": "*"}), - "user8": ({"role": "dev2"}, {"role": "*"}), - "user9": ({"role": "dev2"}, {"role": "*"}), -} -object_assignments = { - "vm0": ({"id": "vm0"}, {"id": "*"}), - "vm1": ({"id": "vm1"}, {"id": "*"}), - "vm2": ({"id": "vm2"}, {"id": "*"}), - "vm3": ({"id": "vm3"}, {"id": "*"}), - "vm4": ({"id": "vm4"}, {"id": "*"}), - "vm5": ({"id": "vm5"}, {"id": "*"}), - "vm6": ({"id": "vm6"}, {"id": "*"}), - "vm7": ({"id": "vm7"}, {"id": "*"}), - "vm8": ({"id": "vm8"}, {"id": "*"}), - "vm9": ({"id": "vm9"}, {"id": "*"}), -} -action_assignments = { - "start": ({"action-type": "vm-write"}, {"action-type": "*"}), - "stop": ({"action-type": "vm-write"}, {"action-type": "*"}), - "pause": ({"action-type": "vm-read"}, {"action-type": "*"}), - "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}), - "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}), -} - -meta_rule = { - "rbac": {"id": "", "value": ("role", "id", "action-type")}, -} - -rules = { - "rbac": ( - { - "rule": ("admin", "vm0", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("admin", "vm0", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - # Rules for grant all employee to do read actions to all VM except vm0 - { - "rule": ("employee", "vm1", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("employee", "vm2", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("employee", "vm3", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("employee", "vm4", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("employee", "vm5", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("employee", "vm6", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("employee", "vm7", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("employee", "vm8", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("employee", "vm9", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - # Rules for grant all dev1 to do read actions to some VM - { - "rule": ("dev1", "vm1", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("dev1", "vm2", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("dev1", "vm3", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("dev1", "vm4", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - # Rules for grant all dev2 to do read actions to some VM - { - "rule": ("dev2", "vm5", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("dev2", "vm6", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("dev2", "vm7", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("dev2", "vm8", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("dev2", "vm9", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - ) -} - - diff --git a/tests/functional/scenario/rbac_mls.py b/tests/functional/scenario/rbac_mls.py deleted file mode 100644 index 8a5362ea..00000000 --- a/tests/functional/scenario/rbac_mls.py +++ /dev/null @@ -1,50 +0,0 @@ - -pdp_name = "pdp1" -policy_name = "Multi policy example" -model_name = "RBAC" - -subjects = {"user0": "", "user1": "", "user2": "", } -objects = {"vm0": "", "vm1": "", } -actions = {"start": "", "stop": ""} - -subject_categories = {"role": "", "subject-security-level": "", } -object_categories = {"id": "", "object-security-level": "", } -action_categories = {"action-type": "", } - -subject_data = { - "role": {"admin": "", "employee": ""}, - "subject-security-level": {"low": "", "medium": "", "high": ""}, -} -object_data = { - "id": {"vm1": "", "vm2": ""}, - "object-security-level": {"low": "", "medium": "", "high": ""}, -} -action_data = {"action-type": {"vm-action": "", "storage-action": "", }} - -subject_assignments = { - "user0": {"role": "admin", "subject-security-level": "high"}, - "user1": {"role": "employee", "subject-security-level": "medium"}, -} -object_assignments = { - "vm0": {"id": "vm1", "object-security-level": "medium"}, - "vm1": {"id": "vm2", "object-security-level": "low"}, -} -action_assignments = { - "start": {"action-type": "vm-action"}, - "stop": {"action-type": "vm-action"} -} - -meta_rule = { - "rbac": {"id": "", "value": ("role", "id", "action-type")}, - "mls": {"id": "", "value": ("subject-security-level", "object-security-level", "action-type")}, -} - -rules = { - "rbac": ( - ("admin", "vm1", "vm-action"), - ), - "mls": ( - ("high", "medium", "vm-action"), - ("medium", "low", "vm-action"), - ) -} diff --git a/tests/functional/scenario/session.py b/tests/functional/scenario/session.py deleted file mode 100644 index 97d7aec3..00000000 --- a/tests/functional/scenario/session.py +++ /dev/null @@ -1,60 +0,0 @@ - -pdp_name = "pdp1" -policy_name = "Session policy example" -model_name = "Session" -policy_genre = "session" - -subjects = {"user0": "", "user1": "", } -objects = {"admin": "", "employee": "", } -actions = {"activate": "", "deactivate": ""} - -subject_categories = {"subjectid": "", } -object_categories = {"role": "", } -action_categories = {"session-action": "", } - -subject_data = {"subjectid": {"user0": "", "user1": ""}} -object_data = {"role": {"admin": "", "employee": "", "*": ""}} -action_data = {"session-action": {"activate": "", "deactivate": "", "*": ""}} - -subject_assignments = {"user0": ({"subjectid": "user0"}, ), "user1": ({"subjectid": "user1"}, ), } -object_assignments = {"admin": ({"role": "admin"}, {"role": "*"}), - "employee": ({"role": "employee"}, {"role": "employee"}) - } -action_assignments = {"activate": ({"session-action": "activate"}, {"session-action": "*"}, ), - "deactivate": ({"session-action": "deactivate"}, {"session-action": "*"}, ) - } - -meta_rule = { - "session": {"id": "", "value": ("subjectid", "role", "session-action")}, -} - -rules = { - "session": ( - { - "rule": ("user0", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user1", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "delete", - "target": "rbac:role:employee" # delete the role employee from the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - ) -} - - diff --git a/tests/functional/scenario/session_large.py b/tests/functional/scenario/session_large.py deleted file mode 100644 index 5b4a64b6..00000000 --- a/tests/functional/scenario/session_large.py +++ /dev/null @@ -1,389 +0,0 @@ - -pdp_name = "pdp1" -policy_name = "Session policy example" -model_name = "Session" -policy_genre = "session" - -subjects = { - "user0": "", - "user1": "", - "user2": "", - "user3": "", - "user4": "", - "user5": "", - "user6": "", - "user7": "", - "user8": "", - "user9": "", -} -objects = {"admin": "", "employee": "", "dev1": "", "dev2": "", } -actions = {"activate": "", "deactivate": ""} - -subject_categories = {"subjectid": "", } -object_categories = {"role": "", } -action_categories = {"session-action": "", } - -subject_data = {"subjectid": { - "user0": "", - "user1": "", - "user2": "", - "user3": "", - "user4": "", - "user5": "", - "user6": "", - "user7": "", - "user8": "", - "user9": "", -}} -object_data = {"role": { - "admin": "", - "employee": "", - "dev1": "", - "dev2": "", - "*": "" -}} -action_data = {"session-action": {"activate": "", "deactivate": "", "*": ""}} - -subject_assignments = { - "user0": ({"subjectid": "user0"}, ), - "user1": ({"subjectid": "user1"}, ), - "user2": ({"subjectid": "user2"}, ), - "user3": ({"subjectid": "user3"}, ), - "user4": ({"subjectid": "user4"}, ), - "user5": ({"subjectid": "user5"}, ), - "user6": ({"subjectid": "user6"}, ), - "user7": ({"subjectid": "user7"}, ), - "user8": ({"subjectid": "user8"}, ), - "user9": ({"subjectid": "user9"}, ), -} -object_assignments = {"admin": ({"role": "admin"}, {"role": "*"}), - "employee": ({"role": "employee"}, {"role": "*"}), - "dev1": ({"role": "employee"}, {"role": "dev1"}, {"role": "*"}), - "dev2": ({"role": "employee"}, {"role": "dev2"}, {"role": "*"}), - } -action_assignments = {"activate": ({"session-action": "activate"}, {"session-action": "*"}, ), - "deactivate": ({"session-action": "deactivate"}, {"session-action": "*"}, ) - } - -meta_rule = { - "session": {"id": "", "value": ("subjectid", "role", "session-action")}, -} - -rules = { - "session": ( - { - "rule": ("user0", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user1", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "delete", - "target": "rbac:role:employee" # delete the role employee from the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user2", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user2", "dev1", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user2", "dev2", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user3", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user3", "dev1", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user3", "dev2", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user4", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user4", "dev1", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user4", "dev2", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user5", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user5", "dev1", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user5", "dev2", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user6", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user6", "dev1", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user6", "dev2", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user7", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user7", "dev1", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user7", "dev2", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user8", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user8", "dev1", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user8", "dev2", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user9", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user9", "dev1", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user9", "dev2", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - ) -} - - diff --git a/tests/functional/scenario_available/delegation.py b/tests/functional/scenario_available/delegation.py new file mode 100644 index 00000000..839e74ce --- /dev/null +++ b/tests/functional/scenario_available/delegation.py @@ -0,0 +1,40 @@ + +pdp_name = "pdp1" +policy_name = "Delegation policy example" +model_name = "Delegation" + +subjects = {"user0": "", } +objects = {"user1": "", } +actions = {"delegate": ""} + +subject_categories = {"subjectid": "", } +object_categories = {"delegated": "", } +action_categories = {"delegation-action": "", } + +subject_data = {"subjectid": {"user0": ""}} +object_data = {"delegated": {"user1": ""}} +action_data = {"delegation-action": {"delegate": ""}} + +subject_assignments = {"user0": {"subjectid": "user0"}} +object_assignments = {"user1": {"delegated": "user1"}} +action_assignments = {"delegate": {"delegation-action": "delegate"}} + +meta_rule = { + "session": {"id": "", "value": ("subjectid", "delegated", "delegation-action")}, +} + +rules = { + "session": ( + { + "rule": ("user0", "user1", "delegate"), + "instructions": ( + { + "update": {"request:subject": "user1"} # update the current user with "user1" + }, + {"chain": {"security_pipeline": "rbac"}} + ) + }, + ) +} + + diff --git a/tests/functional/scenario_available/mls.py b/tests/functional/scenario_available/mls.py new file mode 100644 index 00000000..0e6285c9 --- /dev/null +++ b/tests/functional/scenario_available/mls.py @@ -0,0 +1,59 @@ + +pdp_name = "pdp_mls" +policy_name = "MLS Policy example" +model_name = "MLS" +policy_genre = "authz" + +subjects = {"adminuser": "", "user1": "", "user2": "", } +objects = {"vm0": "", "vm1": "", } +actions = {"start": "", "stop": ""} + +subject_categories = {"subject-security-level": "", } +object_categories = {"object-security-level": "", } +action_categories = {"action-type": "", } + +subject_data = { + "subject-security-level": {"low": "", "medium": "", "high": ""}, +} +object_data = { + "object-security-level": {"low": "", "medium": "", "high": ""}, +} +action_data = {"action-type": {"vm-action": "", "storage-action": "", }} + +subject_assignments = { + "adminuser": {"subject-security-level": "high"}, + "user1": {"subject-security-level": "medium"}, +} +object_assignments = { + "vm0": {"object-security-level": "medium"}, + "vm1": {"object-security-level": "low"}, +} +action_assignments = { + "start": {"action-type": "vm-action"}, + "stop": {"action-type": "vm-action"} +} + +meta_rule = { + "mls": { + "id": "", + "value": ("subject-security-level", + "object-security-level", + "action-type")}, +} + +rules = { + "mls": ( + { + "rule": ("high", "medium", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + { + "rule": ("high", "low", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + { + "rule": ("medium", "low", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + ) +} diff --git a/tests/functional/scenario_available/rbac.py b/tests/functional/scenario_available/rbac.py new file mode 100644 index 00000000..25c010fd --- /dev/null +++ b/tests/functional/scenario_available/rbac.py @@ -0,0 +1,61 @@ + +pdp_name = "pdp_rbac" +policy_name = "RBAC policy example" +model_name = "RBAC" +policy_genre = "authz" + +subjects = {"adminuser": "", "user1": "", } +objects = {"vm0": "", "vm1": "", } +actions = {"start": "", "stop": ""} + +subject_categories = {"role": "", } +object_categories = {"id": "", } +action_categories = {"action-type": "", } + +subject_data = {"role": {"admin": "", "employee": "", "*": ""}} +object_data = {"id": {"vm0": "", "vm1": "", "*": ""}} +action_data = {"action-type": {"vm-action": "", "*": ""}} + +subject_assignments = { + "adminuser": + ({"role": "admin"}, {"role": "employee"}, {"role": "*"}), + "user1": + ({"role": "employee"}, {"role": "*"}), +} +object_assignments = { + "vm0": + ({"id": "vm0"}, {"id": "*"}), + "vm1": + ({"id": "vm1"}, {"id": "*"}) +} +action_assignments = { + "start": + ({"action-type": "vm-action"}, {"action-type": "*"}), + "stop": + ({"action-type": "vm-action"}, {"action-type": "*"}) +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, +} + +rules = { + "rbac": ( + { + "rule": ("admin", "vm0", "vm-action"), + "instructions": ( + {"decision": "grant"}, + # "grant" to immediately exit, + # "continue" to wait for the result of next policy + ) + }, + { + "rule": ("employee", "vm1", "vm-action"), + "instructions": ( + {"decision": "grant"}, + ) + }, + ) +} + + diff --git a/tests/functional/scenario_available/rbac_custom_100.py b/tests/functional/scenario_available/rbac_custom_100.py new file mode 100644 index 00000000..9ee55dbd --- /dev/null +++ b/tests/functional/scenario_available/rbac_custom_100.py @@ -0,0 +1,89 @@ +import random + +pdp_name = "pdp_100" +policy_name = "RBAC policy example 100 users" +model_name = "RBAC" +policy_genre = "authz" + +SUBJECT_NUMBER = 100 +OBJECT_NUMBER = 100 +ROLE_NUMBER = 50 + +subjects = {} +for _id in range(SUBJECT_NUMBER): + subjects["user{}".format(_id)] = "" +objects = {} +for _id in range(OBJECT_NUMBER): + objects["vm{}".format(_id)] = "" +actions = { + "start": "", + "stop": "", + "pause": "", + "unpause": "", + "destroy": "", +} + +subject_categories = {"role": "", } +object_categories = {"id": "", } +action_categories = {"action-type": "", } + +subject_data = {"role": {"admin": "", "*": ""}} +for _id in range(ROLE_NUMBER): + subject_data["role"]["role{}".format(_id)] = "" +object_data = {"id": {"*": ""}} +for _id in range(OBJECT_NUMBER): + object_data["id"]["vm{}".format(_id)] = "" +action_data = {"action-type": { + "vm-read": "", + "vm-write": "", + "*": "" +}} + +subject_assignments = {} +for _id in range(SUBJECT_NUMBER): + _role = "role{}".format(random.randrange(ROLE_NUMBER)) + subject_assignments["user{}".format(_id)] = [{"role": _role}, {"role": "*"}] +object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})} +for _id in range(OBJECT_NUMBER): + object_assignments["vm{}".format(_id)] = [{"id": "vm{}".format(_id)}, {"id": "*"}] +action_assignments = { + "start": ({"action-type": "vm-write"}, {"action-type": "*"}), + "stop": ({"action-type": "vm-write"}, {"action-type": "*"}), + "pause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}), +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, +} + +rules = { + "rbac": [ + { + "rule": ("admin", "vm0", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("admin", "vm0", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + ] +} + +for _id in range(SUBJECT_NUMBER): + _role = "role{}".format(random.randrange(ROLE_NUMBER)) + _vm = "vm{}".format(random.randrange(OBJECT_NUMBER)) + _action = random.choice(list(action_data['action-type'].keys())) + rules["rbac"].append( + { + "rule": (_role, _vm, _action), + "instructions": ( + {"decision": "grant"}, + ) + }, + ) diff --git a/tests/functional/scenario_available/rbac_custom_1000.py b/tests/functional/scenario_available/rbac_custom_1000.py new file mode 100644 index 00000000..d6850485 --- /dev/null +++ b/tests/functional/scenario_available/rbac_custom_1000.py @@ -0,0 +1,89 @@ +import random + +pdp_name = "pdp_1000" +policy_name = "RBAC policy example 1000 users" +model_name = "RBAC" +policy_genre = "authz" + +SUBJECT_NUMBER = 1000 +OBJECT_NUMBER = 500 +ROLE_NUMBER = 50 + +subjects = {} +for _id in range(SUBJECT_NUMBER): + subjects["user{}".format(_id)] = "" +objects = {} +for _id in range(OBJECT_NUMBER): + objects["vm{}".format(_id)] = "" +actions = { + "start": "", + "stop": "", + "pause": "", + "unpause": "", + "destroy": "", +} + +subject_categories = {"role": "", } +object_categories = {"id": "", } +action_categories = {"action-type": "", } + +subject_data = {"role": {"admin": "", "*": ""}} +for _id in range(ROLE_NUMBER): + subject_data["role"]["role{}".format(_id)] = "" +object_data = {"id": {"*": ""}} +for _id in range(OBJECT_NUMBER): + object_data["id"]["vm{}".format(_id)] = "" +action_data = {"action-type": { + "vm-read": "", + "vm-write": "", + "*": "" +}} + +subject_assignments = {} +for _id in range(SUBJECT_NUMBER): + _role = "role{}".format(random.randrange(ROLE_NUMBER)) + subject_assignments["user{}".format(_id)] = [{"role": _role}, {"role": "*"}] +object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})} +for _id in range(OBJECT_NUMBER): + object_assignments["vm{}".format(_id)] = [{"id": "vm{}".format(_id)}, {"id": "*"}] +action_assignments = { + "start": ({"action-type": "vm-write"}, {"action-type": "*"}), + "stop": ({"action-type": "vm-write"}, {"action-type": "*"}), + "pause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}), +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, +} + +rules = { + "rbac": [ + { + "rule": ("admin", "vm0", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("admin", "vm0", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + ] +} + +for _id in range(SUBJECT_NUMBER): + _role = "role{}".format(random.randrange(ROLE_NUMBER)) + _vm = "vm{}".format(random.randrange(OBJECT_NUMBER)) + _action = random.choice(list(action_data['action-type'].keys())) + rules["rbac"].append( + { + "rule": (_role, _vm, _action), + "instructions": ( + {"decision": "grant"}, + ) + }, + ) diff --git a/tests/functional/scenario_available/rbac_custom_50.py b/tests/functional/scenario_available/rbac_custom_50.py new file mode 100644 index 00000000..e1437cf4 --- /dev/null +++ b/tests/functional/scenario_available/rbac_custom_50.py @@ -0,0 +1,89 @@ +import random + +pdp_name = "pdp_50" +policy_name = "RBAC policy example 50 users" +model_name = "RBAC" +policy_genre = "authz" + +SUBJECT_NUMBER = 50 +OBJECT_NUMBER = 50 +ROLE_NUMBER = 10 + +subjects = {} +for _id in range(SUBJECT_NUMBER): + subjects["user{}".format(_id)] = "" +objects = {} +for _id in range(OBJECT_NUMBER): + objects["vm{}".format(_id)] = "" +actions = { + "start": "", + "stop": "", + "pause": "", + "unpause": "", + "destroy": "", +} + +subject_categories = {"role": "", } +object_categories = {"id": "", } +action_categories = {"action-type": "", } + +subject_data = {"role": {"admin": "", "*": ""}} +for _id in range(ROLE_NUMBER): + subject_data["role"]["role{}".format(_id)] = "" +object_data = {"id": {"*": ""}} +for _id in range(OBJECT_NUMBER): + object_data["id"]["vm{}".format(_id)] = "" +action_data = {"action-type": { + "vm-read": "", + "vm-write": "", + "*": "" +}} + +subject_assignments = {} +for _id in range(SUBJECT_NUMBER): + _role = "role{}".format(random.randrange(ROLE_NUMBER)) + subject_assignments["user{}".format(_id)] = [{"role": _role}, {"role": "*"}] +object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})} +for _id in range(OBJECT_NUMBER): + object_assignments["vm{}".format(_id)] = [{"id": "vm{}".format(_id)}, {"id": "*"}] +action_assignments = { + "start": ({"action-type": "vm-write"}, {"action-type": "*"}), + "stop": ({"action-type": "vm-write"}, {"action-type": "*"}), + "pause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}), +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, +} + +rules = { + "rbac": [ + { + "rule": ("admin", "vm0", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("admin", "vm0", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + ] +} + +for _id in range(SUBJECT_NUMBER): + _role = "role{}".format(random.randrange(ROLE_NUMBER)) + _vm = "vm{}".format(random.randrange(OBJECT_NUMBER)) + _action = random.choice(list(action_data['action-type'].keys())) + rules["rbac"].append( + { + "rule": (_role, _vm, _action), + "instructions": ( + {"decision": "grant"}, + ) + }, + ) diff --git a/tests/functional/scenario_available/rbac_large.py b/tests/functional/scenario_available/rbac_large.py new file mode 100644 index 00000000..ef5dd9b2 --- /dev/null +++ b/tests/functional/scenario_available/rbac_large.py @@ -0,0 +1,233 @@ + +pdp_name = "pdp1" +policy_name = "RBAC policy example" +model_name = "RBAC" +policy_genre = "authz" + +subjects = { + "user0": "", + "user1": "", + "user2": "", + "user3": "", + "user4": "", + "user5": "", + "user6": "", + "user7": "", + "user8": "", + "user9": "", +} +objects = { + "vm0": "", + "vm1": "", + "vm2": "", + "vm3": "", + "vm4": "", + "vm5": "", + "vm6": "", + "vm7": "", + "vm8": "", + "vm9": "", +} +actions = { + "start": "", + "stop": "", + "pause": "", + "unpause": "", + "destroy": "", +} + +subject_categories = {"role": "", } +object_categories = {"id": "", } +action_categories = {"action-type": "", } + +subject_data = {"role": { + "admin": "", + "employee": "", + "dev1": "", + "dev2": "", + "*": "" +}} +object_data = {"id": { + "vm0": "", + "vm1": "", + "vm2": "", + "vm3": "", + "vm4": "", + "vm5": "", + "vm6": "", + "vm7": "", + "vm8": "", + "vm9": "", + "*": "" +}} +action_data = {"action-type": { + "vm-read": "", + "vm-write": "", + "*": "" +}} + +subject_assignments = { + "user0": ({"role": "employee"}, {"role": "*"}), + "user1": ({"role": "employee"}, {"role": "*"}), + "user2": ({"role": "dev1"}, {"role": "*"}), + "user3": ({"role": "dev1"}, {"role": "*"}), + "user4": ({"role": "dev1"}, {"role": "*"}), + "user5": ({"role": "dev1"}, {"role": "*"}), + "user6": ({"role": "dev2"}, {"role": "*"}), + "user7": ({"role": "dev2"}, {"role": "*"}), + "user8": ({"role": "dev2"}, {"role": "*"}), + "user9": ({"role": "dev2"}, {"role": "*"}), +} +object_assignments = { + "vm0": ({"id": "vm0"}, {"id": "*"}), + "vm1": ({"id": "vm1"}, {"id": "*"}), + "vm2": ({"id": "vm2"}, {"id": "*"}), + "vm3": ({"id": "vm3"}, {"id": "*"}), + "vm4": ({"id": "vm4"}, {"id": "*"}), + "vm5": ({"id": "vm5"}, {"id": "*"}), + "vm6": ({"id": "vm6"}, {"id": "*"}), + "vm7": ({"id": "vm7"}, {"id": "*"}), + "vm8": ({"id": "vm8"}, {"id": "*"}), + "vm9": ({"id": "vm9"}, {"id": "*"}), +} +action_assignments = { + "start": ({"action-type": "vm-write"}, {"action-type": "*"}), + "stop": ({"action-type": "vm-write"}, {"action-type": "*"}), + "pause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}), + "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}), +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, +} + +rules = { + "rbac": ( + { + "rule": ("admin", "vm0", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("admin", "vm0", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + # Rules for grant all employee to do read actions to all VM except vm0 + { + "rule": ("employee", "vm1", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm2", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm3", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm4", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm5", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm6", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm7", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm8", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("employee", "vm9", "vm-read"), + "instructions": ( + {"decision": "grant"}, + ) + }, + # Rules for grant all dev1 to do read actions to some VM + { + "rule": ("dev1", "vm1", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev1", "vm2", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev1", "vm3", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev1", "vm4", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + # Rules for grant all dev2 to do read actions to some VM + { + "rule": ("dev2", "vm5", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev2", "vm6", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev2", "vm7", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev2", "vm8", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + { + "rule": ("dev2", "vm9", "vm-write"), + "instructions": ( + {"decision": "grant"}, + ) + }, + ) +} + + diff --git a/tests/functional/scenario_available/rbac_mls.py b/tests/functional/scenario_available/rbac_mls.py new file mode 100644 index 00000000..8a5362ea --- /dev/null +++ b/tests/functional/scenario_available/rbac_mls.py @@ -0,0 +1,50 @@ + +pdp_name = "pdp1" +policy_name = "Multi policy example" +model_name = "RBAC" + +subjects = {"user0": "", "user1": "", "user2": "", } +objects = {"vm0": "", "vm1": "", } +actions = {"start": "", "stop": ""} + +subject_categories = {"role": "", "subject-security-level": "", } +object_categories = {"id": "", "object-security-level": "", } +action_categories = {"action-type": "", } + +subject_data = { + "role": {"admin": "", "employee": ""}, + "subject-security-level": {"low": "", "medium": "", "high": ""}, +} +object_data = { + "id": {"vm1": "", "vm2": ""}, + "object-security-level": {"low": "", "medium": "", "high": ""}, +} +action_data = {"action-type": {"vm-action": "", "storage-action": "", }} + +subject_assignments = { + "user0": {"role": "admin", "subject-security-level": "high"}, + "user1": {"role": "employee", "subject-security-level": "medium"}, +} +object_assignments = { + "vm0": {"id": "vm1", "object-security-level": "medium"}, + "vm1": {"id": "vm2", "object-security-level": "low"}, +} +action_assignments = { + "start": {"action-type": "vm-action"}, + "stop": {"action-type": "vm-action"} +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, + "mls": {"id": "", "value": ("subject-security-level", "object-security-level", "action-type")}, +} + +rules = { + "rbac": ( + ("admin", "vm1", "vm-action"), + ), + "mls": ( + ("high", "medium", "vm-action"), + ("medium", "low", "vm-action"), + ) +} diff --git a/tests/functional/scenario_available/session.py b/tests/functional/scenario_available/session.py new file mode 100644 index 00000000..97d7aec3 --- /dev/null +++ b/tests/functional/scenario_available/session.py @@ -0,0 +1,60 @@ + +pdp_name = "pdp1" +policy_name = "Session policy example" +model_name = "Session" +policy_genre = "session" + +subjects = {"user0": "", "user1": "", } +objects = {"admin": "", "employee": "", } +actions = {"activate": "", "deactivate": ""} + +subject_categories = {"subjectid": "", } +object_categories = {"role": "", } +action_categories = {"session-action": "", } + +subject_data = {"subjectid": {"user0": "", "user1": ""}} +object_data = {"role": {"admin": "", "employee": "", "*": ""}} +action_data = {"session-action": {"activate": "", "deactivate": "", "*": ""}} + +subject_assignments = {"user0": ({"subjectid": "user0"}, ), "user1": ({"subjectid": "user1"}, ), } +object_assignments = {"admin": ({"role": "admin"}, {"role": "*"}), + "employee": ({"role": "employee"}, {"role": "employee"}) + } +action_assignments = {"activate": ({"session-action": "activate"}, {"session-action": "*"}, ), + "deactivate": ({"session-action": "deactivate"}, {"session-action": "*"}, ) + } + +meta_rule = { + "session": {"id": "", "value": ("subjectid", "role", "session-action")}, +} + +rules = { + "session": ( + { + "rule": ("user0", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user1", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "delete", + "target": "rbac:role:employee" # delete the role employee from the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + ) +} + + diff --git a/tests/functional/scenario_available/session_large.py b/tests/functional/scenario_available/session_large.py new file mode 100644 index 00000000..5b4a64b6 --- /dev/null +++ b/tests/functional/scenario_available/session_large.py @@ -0,0 +1,389 @@ + +pdp_name = "pdp1" +policy_name = "Session policy example" +model_name = "Session" +policy_genre = "session" + +subjects = { + "user0": "", + "user1": "", + "user2": "", + "user3": "", + "user4": "", + "user5": "", + "user6": "", + "user7": "", + "user8": "", + "user9": "", +} +objects = {"admin": "", "employee": "", "dev1": "", "dev2": "", } +actions = {"activate": "", "deactivate": ""} + +subject_categories = {"subjectid": "", } +object_categories = {"role": "", } +action_categories = {"session-action": "", } + +subject_data = {"subjectid": { + "user0": "", + "user1": "", + "user2": "", + "user3": "", + "user4": "", + "user5": "", + "user6": "", + "user7": "", + "user8": "", + "user9": "", +}} +object_data = {"role": { + "admin": "", + "employee": "", + "dev1": "", + "dev2": "", + "*": "" +}} +action_data = {"session-action": {"activate": "", "deactivate": "", "*": ""}} + +subject_assignments = { + "user0": ({"subjectid": "user0"}, ), + "user1": ({"subjectid": "user1"}, ), + "user2": ({"subjectid": "user2"}, ), + "user3": ({"subjectid": "user3"}, ), + "user4": ({"subjectid": "user4"}, ), + "user5": ({"subjectid": "user5"}, ), + "user6": ({"subjectid": "user6"}, ), + "user7": ({"subjectid": "user7"}, ), + "user8": ({"subjectid": "user8"}, ), + "user9": ({"subjectid": "user9"}, ), +} +object_assignments = {"admin": ({"role": "admin"}, {"role": "*"}), + "employee": ({"role": "employee"}, {"role": "*"}), + "dev1": ({"role": "employee"}, {"role": "dev1"}, {"role": "*"}), + "dev2": ({"role": "employee"}, {"role": "dev2"}, {"role": "*"}), + } +action_assignments = {"activate": ({"session-action": "activate"}, {"session-action": "*"}, ), + "deactivate": ({"session-action": "deactivate"}, {"session-action": "*"}, ) + } + +meta_rule = { + "session": {"id": "", "value": ("subjectid", "role", "session-action")}, +} + +rules = { + "session": ( + { + "rule": ("user0", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user1", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "delete", + "target": "rbac:role:employee" # delete the role employee from the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user2", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user2", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user2", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user3", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user3", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user3", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user4", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user4", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user4", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user5", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user5", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user5", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user6", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user6", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user6", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user7", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user7", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user7", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user8", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user8", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user8", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user9", "employee", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user9", "dev1", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + { + "rule": ("user9", "dev2", "*"), + "instructions": ( + { + "update": { + "operation": "add", + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac + ) + }, + ) +} + + diff --git a/tests/functional/scenario_enabled/mls.py b/tests/functional/scenario_enabled/mls.py new file mode 120000 index 00000000..6acd75ce --- /dev/null +++ b/tests/functional/scenario_enabled/mls.py @@ -0,0 +1 @@ +../scenario_available/mls.py \ No newline at end of file diff --git a/tests/functional/scenario_enabled/rbac.py b/tests/functional/scenario_enabled/rbac.py new file mode 120000 index 00000000..0edc905a --- /dev/null +++ b/tests/functional/scenario_enabled/rbac.py @@ -0,0 +1 @@ +../scenario_available/rbac.py \ No newline at end of file diff --git a/tests/functional/send_authz.py b/tests/functional/send_authz.py deleted file mode 100644 index b4ed1d2f..00000000 --- a/tests/functional/send_authz.py +++ /dev/null @@ -1,32 +0,0 @@ -from importlib.machinery import SourceFileLoader -from python_moonclient import config, parse, models, policies, pdp, authz - - -if __name__ == "__main__": - args = parse.parse() - consul_host = args.consul_host - consul_port = args.consul_port - - models.init(consul_host, consul_port) - policies.init(consul_host, consul_port) - pdp.init(consul_host, consul_port) - - if args.filename: - print("Loading: {}".format(args.filename[0])) - m = SourceFileLoader("scenario", args.filename[0]) - scenario = m.load_module() - - keystone_project_id = pdp.get_keystone_id(args.pdp) - time_data = authz.send_requests( - scenario, - args.authz_host, - args.authz_port, - keystone_project_id, - request_second=args.request_second, - limit=args.limit, - dry_run=args.dry_run, - stress_test=args.stress_test, - destination=args.destination - ) - if not args.dry_run: - authz.save_data(args.write, time_data) -- cgit 1.2.3-korg