def test_token(): global body global TUPLE global RS policy = "x can access *" # dummy policy provider.set_policy(policy) policy = 'all can access * for 2 hours if tokens_per_day < 100' provider.set_policy(policy) assert policy in provider.get_policy()['response']['policy'] new_policy = "*@rbccps.org can access resource-yyz-abc for 1 hour" assert provider.append_policy(new_policy)['success'] is True x = provider.get_policy()['response']['policy'] assert new_policy in x assert policy in x r = provider.audit_tokens(5) assert r['success'] is True audit_report = r['response'] as_provider = audit_report["as-provider"] num_tokens_before = len(as_provider) body = [{ "id": "rbccps.org/9cf2c2382cf661fc20a4776345a3be7a143a109c/" + RS + "/resource-xyz-yzz", "api": "/latest", "methods": ["GET"], "body": { "key": "some-key" } }, { "id": "rbccps.org/9cf2c2382cf661fc20a4776345a3be7a143a109c/abc.com/abc-xyz" }]
# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4 import os from init import provider from init import resource_server from init import expect_failure RS = "iisc.iudx.org.in" policy = "x can access *" # dummy policy provider.set_policy(policy) invalid_policy = "invalid policy *" expect_failure(True) assert provider.set_policy(invalid_policy)['success'] is False expect_failure(False) r = provider.get_policy()['response']['policy'] assert policy in r assert invalid_policy not in r invalid_policy = "invalid policy *" expect_failure(True) assert provider.append_policy(invalid_policy)['success'] is False expect_failure(False) r = provider.get_policy()['response']['policy']
assert r["success"] is True r = provider.list_group("confidential") assert r["success"] is True assert 1 == len(r["response"]) assert "*****@*****.**" == r["response"][0]['consumer'] r = provider.delete_consumer_from_group("*****@*****.**", "confidential") assert r["success"] is True r = provider.list_group("confidential") assert r["success"] is True assert 0 == len(r["response"]) provider.set_policy( 'all can access iisc.iudx.org.in/resource-xyz* if consumer-in-group(xyz,confidential)' ) body = { "id": "rbccps.org/9cf2c2382cf661fc20a4776345a3be7a143a109c/iisc.iudx.org.in/resource-xyz-yzz", } provider.add_consumer_to_group("*****@*****.**", "confidential", 100) r = provider.list_group("confidential") assert 1 == len(r["response"]) r = consumer.get_token(body) assert r["success"] is True assert 60 * 60 == r["response"]["expires-in"]
'[email protected] can access rs1.com/x-t/y/z/t/a/b/c for 2 days if country = "IN" OR api = "/latest"', '[email protected] and [email protected] can access rs1.com/x for 5 hours @ 5 INR', 'a,[email protected], and c can access x/y/z.a.b.c/t for 2 seconds @ 10.5 INR; all can access anything; x can access y', '* can access local_server/*/test if ip = "138.212.77.14" OR ip = "::ffff:ada0:d182"', '* can access test-server/test-resource/rs1 if body.operation = "select" AND body.on = "everything"', '* can access test-server/test-resource/rs2 if api = "/latest" AND method = "GET"', '[email protected] can access test/test/* if cert.class = 2 AND cert.issuer.cn = "ca.iudx.org.in"', '*@iisc.ac.in can access data/server1/* if cert.class = 3 AND ' + 'cert.o = "Indian Institute of Science \(IISc\)" AND cert.issuer.cn = "IUDX-sub-CA at iisc.ac.in"', '*@rbccps.org can access confidential/data/* if cert.title = "Member of Technical Staff" AND ' + 'cert.ou = "Robert Bosch Centre for Cyber-Physical Systems \(RBCCPS\)"', 'person@* can access local/test/1 if tokens_per_day = 300 AND cert.st = "Karnataka"' ] for rule in rules: r = provider.set_policy(rule) assert r['success'] is True policy = "x can access x" r = provider.set_policy(policy) assert r['success'] is True new_policy = "y can access y" r = provider.set_policy(policy) assert r['success'] is True r = provider.revert_policy() assert r['success'] is True r = provider.get_policy() assert r['success'] is True
def test_multiple_provider_audit(): # test audit for multiple providers policy = "all can access abc.com/*" provider.set_policy(policy) policy = 'all can access example.com/test-providers' alt_provider.set_policy(policy) body = [{ "id": "iisc.ac.in/2052f450ac2dde345335fb18b82e21da92e3388c/example.com/test-providers", }, { "id": "rbccps.org/9cf2c2382cf661fc20a4776345a3be7a143a109c/abc.com/ABC123" }, { "id": "rbccps.org/9cf2c2382cf661fc20a4776345a3be7a143a109c/abc.com/abc-xyz" }] r = consumer.get_token(body) access_token = r['response'] r = alt_provider.audit_tokens(5) assert r["success"] is True audit_report = r['response'] as_provider = audit_report["as-provider"] token_hash = hashlib.sha256( access_token['token'].encode('utf-8')).hexdigest() token_hash_found = False found = None for a in as_provider: if a['token-hash'] == token_hash: token_hash_found = True found = a break assert token_hash_found is True assert found['revoked'] is False for r in found['request']: assert r['id'].startswith('iisc.ac.in') is True # same test with rbccps.org provider r = provider.audit_tokens(5) assert r["success"] is True audit_report = r['response'] as_provider = audit_report["as-provider"] found = None for a in as_provider: if a['token-hash'] == token_hash: found = a break assert token_hash_found is True assert found['revoked'] is False for r in found['request']: assert r['id'].startswith('rbccps.org') is True
def test_revoke_with_token(): global body global TUPLE # test revoke API r = provider.get_token(body) access_token = r['response'] assert r['success'] is True assert None != access_token assert 60 * 60 * 2 == access_token['expires-in'] token = access_token['token'] if type(token) == TUPLE: token = token[0] s = token.split("/") assert len(s) == 3 assert s[0] == 'auth.iudx.org.in' r = provider.audit_tokens(5) assert r["success"] is True audit_report = r['response'] as_consumer = audit_report["as-consumer"] num_revoked_before = 0 for a in as_consumer: if a['revoked'] is True: num_revoked_before = num_revoked_before + 1 r = provider.revoke_tokens(token) assert r["success"] is True assert r["response"]["num-tokens-revoked"] >= 1 r = provider.audit_tokens(5) assert r["success"] is True audit_report = r['response'] as_consumer = audit_report["as-consumer"] num_revoked_after = 0 for a in as_consumer: if a['revoked'] is True: num_revoked_after = num_revoked_after + 1 assert num_revoked_before < num_revoked_after new_policy = "*@iisc.ac.in can access * for 1 month" assert provider.set_policy(new_policy)['success'] is True body = [{ "id": "rbccps.org/9cf2c2382cf661fc20a4776345a3be7a143a109c/rs1/r1", }, { "id": "rbccps.org/9cf2c2382cf661fc20a4776345a3be7a143a109c/rs1/r2" }] r = restricted_consumer.get_token(body) access_token = r['response'] assert r['success'] is True assert None != access_token assert r['response']['expires-in'] == 60 * 60 * 24 * 30 * 1 body = [{ "id": "rbccps.org/9cf2c2382cf661fc20a4776345a3be7a143a109c/rs1/r1", }, { "id": "rbccps.org/9cf2c2382cf661fc20a4776345a3be7a143a109c/rs2/r2" }] expect_failure(True) r = restricted_consumer.get_token(body) expect_failure(False) assert r['success'] is False assert r['status_code'] == 403 # new api tests new_policy = "*@iisc.ac.in can access * for 5 months" assert provider.set_policy(new_policy)['success'] is True body = [ "rbccps.org/9cf2c2382cf661fc20a4776345a3be7a143a109c/rs1/r1", "rbccps.org/9cf2c2382cf661fc20a4776345a3be7a143a109c/rs2/r2" ] r = consumer.get_token(body) assert r['success'] is True assert r['response']['expires-in'] == 60 * 60 * 24 * 30 * 5 body = "rbccps.org/9cf2c2382cf661fc20a4776345a3be7a143a109c/rs1/r1" r = consumer.get_token(body) assert r['success'] is True assert r['response']['expires-in'] == 60 * 60 * 24 * 30 * 5 body = { "id": "rbccps.org/9cf2c2382cf661fc20a4776345a3be7a143a109c/rs1/r1" } r = consumer.get_token(body) assert r['success'] is True assert r['response']['expires-in'] == 60 * 60 * 24 * 30 * 5
from init import provider from init import untrusted from init import resource_server from init import expect_failure from init import restricted_consumer import hashlib RS = "iisc.iudx.org.in" TUPLE = type(("x", )) policy = "x can access *" # dummy policy provider.set_policy(policy) policy = 'all can access * for 2 hours if tokens_per_day < 100' provider.set_policy(policy) assert policy in provider.get_policy()['response']['policy'] new_policy = "*@rbccps.org can access resource-yyz-abc for 1 hour" assert provider.append_policy(new_policy)['success'] is True x = provider.get_policy()['response']['policy'] assert new_policy in x assert policy in x r = provider.audit_tokens(5) assert r['success'] is True
# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4 from init import provider rules = [ '[email protected] can access rs1.com/x/y/z/t/a/b/c for 2 days', '[email protected] can access rs1.com/_x/y/z/t/a/b/c for 2 days if country = "IN" AND api = "/latest"', '[email protected] can access rs1.com/x-t/y/z/t/a/b/c for 2 days if country = "IN" OR api = "/latest"', '[email protected] and [email protected] can access rs1.com/x for 5 hours @ 5 INR', 'a,[email protected], and c can access x/y/z.a.b.c/t for 2 seconds @ 10.5 INR; all can access anything; x can access y', '* can access local_server/*/test if ip = "138.212.77.14" OR ip = "::ffff:ada0:d182"', '* can access test-server/test-resource/rs1 if body.operation = "select" AND body.on = "everything"', '* can access test-server/test-resource/rs2 if api = "/latest" AND method = "GET"', '[email protected] can access test/test/* if cert.class = 2 AND cert.issuer.cn = "ca.iudx.org.in"', '*@iisc.ac.in can access data/server1/* if cert.class = 3 AND ' + 'cert.o = "Indian Institute of Science \(IISc\)" AND cert.issuer.cn = "IUDX-sub-CA at iisc.ac.in"', '*@rbccps.org can access confidential/data/* if cert.title = "Member of Technical Staff" AND ' + 'cert.ou = "Robert Bosch Centre for Cyber-Physical Systems \(RBCCPS\)"', 'person@* can access local/test/1 if tokens_per_day = 300 AND cert.st = "Karnataka"' ] for rule in rules: r = provider.set_policy(rule) assert r['success'] is True
import os from init import consumer from init import provider from init import resource_server import hashlib RS = "iisc.iudx.org.in" if "AUTH_SERVER" in os.environ and os.environ["AUTH_SERVER"] == "localhost": RS = "localhost" TUPLE = type(("x",)) policy = "x can access *" # dummy policy provider.set_policy(policy) policy = 'all can access * for 2 hours if tokens_per_day < 100' provider.set_policy(policy) assert policy == provider.get_policy()['response']['policy'] new_policy = "*@rbccps.org can access resource-yyz-abc for 1 hour" assert True == provider.append_policy(new_policy)['success'] updated_policy = policy + ';' + new_policy assert updated_policy == provider.get_policy()['response']['policy'] r = provider.audit_tokens(5) assert r['success'] is True audit_report = r['response']