Add instructions tag in each rule

author asteroide <thomas.duval@orange.com>

Tue, 9 May 2017 08:16:06 +0000 (10:16 +0200)

committer asteroide <thomas.duval@orange.com>

Tue, 9 May 2017 08:16:06 +0000 (10:16 +0200)
author asteroide <thomas.duval@orange.com>
Tue, 9 May 2017 08:16:06 +0000 (10:16 +0200)
committer asteroide <thomas.duval@orange.com>
Tue, 9 May 2017 08:16:06 +0000 (10:16 +0200)
diff --git a/moonv4/moon_interface/tests/apitests/populate_default_values.py b/moonv4/moon_interface/tests/apitests/populate_default_values.py

index f58a744..e489a23 100644 (file)
--- a/moonv4/moon_interface/tests/apitests/populate_default_values.py
+++ b/moonv4/moon_interface/tests/apitests/populate_default_values.py
@@ -113,7 +113,7 @@ def create_policy(model_id, meta_rule_list):
          meta_rule_value = scenario.meta_rule[meta_rule_name]
          for rule in scenario.rules[meta_rule_name]:
              _meta_rule = list(meta_rule_value["value"])
-            for data_name in rule:
+            for data_name in rule["rule"]:
                  category_name = _meta_rule.pop(0)
                  if category_name in scenario.subject_categories:
                      data_list.append(scenario.subject_data[category_name][data_name])
@@ -121,7 +121,8 @@ def create_policy(model_id, meta_rule_list):
                      data_list.append(scenario.object_data[category_name][data_name])
                  elif category_name in scenario.action_categories:
                      data_list.append(scenario.action_data[category_name][data_name])
-            add_rule(policy_id, meta_rule_value["id"], data_list)
+            instructions = rule["instructions"]
+            add_rule(policy_id, meta_rule_value["id"], data_list, instructions)
      return policy_id
  
  
diff --git a/moonv4/moon_interface/tests/apitests/scenario/delegation.py b/moonv4/moon_interface/tests/apitests/scenario/delegation.py

new file mode 100644 (file)

index 0000000..839e74c
--- /dev/null
+++ b/moonv4/moon_interface/tests/apitests/scenario/delegation.py
@@ -0,0 +1,40 @@
+
+pdp_name = "pdp1"
+policy_name = "Delegation policy example"
+model_name = "Delegation"
+
+subjects = {"user0": "", }
+objects = {"user1": "", }
+actions = {"delegate": ""}
+
+subject_categories = {"subjectid": "", }
+object_categories = {"delegated": "", }
+action_categories = {"delegation-action": "", }
+
+subject_data = {"subjectid": {"user0": ""}}
+object_data = {"delegated": {"user1": ""}}
+action_data = {"delegation-action": {"delegate": ""}}
+
+subject_assignments = {"user0": {"subjectid": "user0"}}
+object_assignments = {"user1": {"delegated": "user1"}}
+action_assignments = {"delegate": {"delegation-action": "delegate"}}
+
+meta_rule = {
+    "session": {"id": "", "value": ("subjectid", "delegated", "delegation-action")},
+}
+
+rules = {
+    "session": (
+        {
+            "rule": ("user0", "user1", "delegate"),
+            "instructions": (
+                {
+                    "update": {"request:subject": "user1"}  # update the current user with "user1"
+                },
+                {"chain": {"security_pipeline": "rbac"}}
+            )
+        },
+    )
+}
+
+
diff --git a/moonv4/moon_interface/tests/apitests/scenario/mls.py b/moonv4/moon_interface/tests/apitests/scenario/mls.py

index e36a86b..3a3ded4 100644 (file)
--- a/moonv4/moon_interface/tests/apitests/scenario/mls.py
+++ b/moonv4/moon_interface/tests/apitests/scenario/mls.py
@@ -38,8 +38,17 @@ meta_rule = {
  
  rules = {
      "mls": (
-        ("high", "medium", "vm-action"),
-        ("high", "low", "vm-action"),
-        ("medium", "low", "vm-action"),
+        {
+            "rules": ("high", "medium", "vm-action"),
+            "instructions": ({"decision": "grant"})
+        },
+        {
+            "rules": ("high", "low", "vm-action"),
+            "instructions": ({"decision": "grant"})
+        },
+        {
+            "rules": ("medium", "low", "vm-action"),
+            "instructions": ({"decision": "grant"})
+        },
      )
  }
diff --git a/moonv4/moon_interface/tests/apitests/scenario/rbac.py b/moonv4/moon_interface/tests/apitests/scenario/rbac.py

index cd08308..a43bd1f 100644 (file)
--- a/moonv4/moon_interface/tests/apitests/scenario/rbac.py
+++ b/moonv4/moon_interface/tests/apitests/scenario/rbac.py
@@ -15,7 +15,7 @@ subject_data = {"role": {"admin": "", "employee": ""}}
  object_data = {"id": {"vm0": "", "vm1": ""}}
  action_data = {"action-type": {"vm-action": "", }}
  
-subject_assignments = {"user0": {"role": "admin"}, "user1": {"role": "employee"}, }
+subject_assignments = {"user0": {"role": "employee"}, "user1": {"role": "employee"}, }
  object_assignments = {"vm0": {"id": "vm0"}, "vm1": {"id": "vm1"}}
  action_assignments = {"start": {"action-type": "vm-action"}, "stop": {"action-type": "vm-action"}}
  
@@ -25,8 +25,18 @@ meta_rule = {
  
  rules = {
      "rbac": (
-        ("admin", "vm0", "vm-action"),
-        ("admin", "vm1", "vm-action"),
+        {
+            "rule": ("admin", "vm0", "vm-action"),
+            "instructions": (
+                {"decision": "grant"}  # "grant" to immediately exit, "continue" to wait for the result of next policy
+            )
+        },
+        {
+            "rule": ("admin", "vm1", "vm-action"),
+            "instructions": (
+                {"decision": "grant"}
+            )
+        },
      )
  }
  
diff --git a/moonv4/moon_interface/tests/apitests/scenario/session.py b/moonv4/moon_interface/tests/apitests/scenario/session.py

new file mode 100644 (file)

index 0000000..6b7e0f1
--- /dev/null
+++ b/moonv4/moon_interface/tests/apitests/scenario/session.py
@@ -0,0 +1,55 @@
+
+pdp_name = "pdp1"
+policy_name = "Session policy example"
+model_name = "Session"
+
+subjects = {"user0": "", "user1": "", }
+objects = {"admin": "", "employee": "", }
+actions = {"activate": "", "deactivate": ""}
+
+subject_categories = {"subjectid": "", }
+object_categories = {"role": "", }
+action_categories = {"session-action": "", }
+
+subject_data = {"subjectid": {"user0": "", "user1": ""}}
+object_data = {"role": {"admin": "", "employee": ""}}
+action_data = {"session-action": {"activate": "", "deactivate": ""}}
+
+subject_assignments = {"user0": {"subjectid": "user0"}, "user1": {"subjectid": "user1"}, }
+object_assignments = {"admin": {"role": "admin"}, "employee": {"role": "employee"}}
+action_assignments = {"activate": {"session-action": "activate"}, "deactivate": {"session-action": "deactivate"}}
+
+meta_rule = {
+    "session": {"id": "", "value": ("subjectid", "role", "session-action")},
+}
+
+rules = {
+    "session": (
+        {
+            "rule": ("user0", "admin", "activate"),
+            "instructions": (
+                {
+                    "update": {
+                        "operation": "add",
+                        "target": "rbac:role:admin"  # add the role admin to the current user
+                    }
+                },
+                {"chain": [{"security_pipeline": "rbac"}]}  # chain with the meta_rule named rbac
+            )
+        },
+        {
+            "rule": ("user1", "employee", "deactivate"),
+            "instructions": (
+                {
+                    "update": {
+                        "operation": "delete",
+                        "target": "rbac:role:employee"  # delete the role employee from the current user
+                    }
+                },
+                {"chain": [{"security_pipeline": "rbac"}]}  # chain with the meta_rule named rbac
+            )
+        },
+    )
+}
+
+
diff --git a/moonv4/moon_interface/tests/apitests/utils/policies.py b/moonv4/moon_interface/tests/apitests/utils/policies.py

index 67be91e..bf75734 100644 (file)
--- a/moonv4/moon_interface/tests/apitests/utils/policies.py
+++ b/moonv4/moon_interface/tests/apitests/utils/policies.py
@@ -527,11 +527,12 @@ def delete_action_assignment(policy_id, action_id, action_cat_id, action_data_id
              assert action_data_id not in result["action_assignments"][key]["assignments"]
  
  
-def add_rule(policy_id, meta_rule_id, rule):
+def add_rule(policy_id, meta_rule_id, rule, instructions={"chain": [{"security_pipeline": "rbac"}]}):
      req = requests.post(URL.format("/policies/{}/rules".format(policy_id)),
                          json={
                              "meta_rule_id": meta_rule_id,
                              "rule": rule,
+                            "instructions": instructions,
                              "enabled": True
                          },
                          headers=HEADERS)
author	asteroide <thomas.duval@orange.com>
	Tue, 9 May 2017 08:16:06 +0000 (10:16 +0200)
committer	asteroide <thomas.duval@orange.com>
	Tue, 9 May 2017 08:16:06 +0000 (10:16 +0200)
moonv4/moon_interface/tests/apitests/populate_default_values.py		patch \| blob \| history
moonv4/moon_interface/tests/apitests/scenario/delegation.py	[new file with mode: 0644]	patch \| blob
moonv4/moon_interface/tests/apitests/scenario/mls.py		patch \| blob \| history
moonv4/moon_interface/tests/apitests/scenario/rbac.py		patch \| blob \| history
moonv4/moon_interface/tests/apitests/scenario/session.py	[new file with mode: 0644]	patch \| blob
moonv4/moon_interface/tests/apitests/utils/policies.py		patch \| blob \| history