def test_get(st): st.add(Policy.from_json({"uid": "1", "rules": {}, "targets": {}, "effect": "deny"})) st.add(Policy.from_json({"uid": "2", "description": "some text", "rules": {}, "targets": {}, "effect": "deny"})) assert isinstance(st.get('1'), Policy) assert '1' == st.get('1').uid assert '2' == st.get('2').uid assert 'some text' == st.get('2').description
def test_update(st): policy = Policy.from_json({"uid": "1", "rules": {}, "targets": {}, "effect": "deny"}) # Test update before insert st.update(policy) assert st.get(policy.uid) is None st.add(policy) assert '1' == st.get('1').uid assert '' == st.get('1').description policy.description = 'foo' st.update(policy) assert '1' == st.get('1').uid assert 'foo' == st.get('1').description p = Policy.from_json({"uid": "2", "description": "foo", "rules": {}, "targets": {}, "effect": "deny"}) st.add(p) assert '2' == st.get('2').uid p = Policy.from_json({"uid": "2", "description": "foo", "rules": {"action": {"$.method": {"condition": "Equals", "value": "get"}}}, "targets": {}, "effect": "deny"}) st.update(p) assert 1 == len(st.get('2').rules.action) assert 'get' == st.get('2').rules.action['$.method'].value
def test_update(self): policy = Policy.from_json(self.POLICY_JSON) p_model = PolicyModel.from_policy(policy) new_policy_json = self.POLICY_JSON.copy() new_policy_json["priority"] = 1 new_policy = Policy.from_json(new_policy_json) p_model.update(new_policy) policy_model_assert(p_model, new_policy)
def test_add(st): policy_json = { "uid": "1", "description": "Policy create test 1", "rules": { "subject": {"$.uid": {"condition": "Eq", "value": 1.0}}, "resource": [{"$.name": {"condition": "Equals", "value": "test", "case_insensitive": False}}], "action": {}, "context": {} }, "targets": { "subject_id": ["abc", "a*"], "resource_id": ["123"], 'action_id': '*' }, "effect": "deny", "priority": 0 } policy = Policy.from_json(policy_json) st.add(policy) assert "1" == st.get('1').uid assert "Policy create test 1" == st.get('1').description policy_json = { "uid": "2", "description": "Policy create test 2", "rules": { "subject": {"$.uid": {"condition": "Eq", "value": 1.0}}, "resource": [{"$.name": {"condition": "Equals", "value": "test", "case_insensitive": False}}], "action": [{"$.method": {"condition": "Equals", "value": "GET"}}, {"$.method": {"condition": "Equals", "value": "POST"}}], "context": {} }, "targets": { "subject_id": ["abc", "a*"], "resource_id": ["123"], 'action_id': '*' }, "effect": "deny", "priority": 0 } policy = Policy.from_json(policy_json) st.add(policy) assert '2' == st.get('2').uid assert 2 == len(st.get('2').rules.action) assert 1 == len(st.get('2').rules.subject) assert isinstance(st.get('2').rules.subject["$.uid"], Eq) assert 1 == len(st.get('2').rules.resource) assert isinstance(st.get('2').rules.resource[0]['$.name'], Equals) assert 'test' == st.get('2').rules.resource[0]['$.name'].value assert ["abc", "a*"] == st.get('2').targets.subject_id
def test_to_policy(): policy_json = { "uid": "a381fdd3-b73a-4858-a57b-94085628b0f1", "description": "Block user 'Max' when ip in CIDR 192.168.1.0/24", "rules": { "subject": { "$.name": { "condition": "Equals", "value": "Max" } }, "context": { "$.ip": { "condition": "Not", "value": { "condition": "CIDR", "value": "192.168.1.0/24" } } } }, "targets": { "subject_id": "user::b90b2998-9e1b-4ac5-a743-b060b2634dbb" }, "effect": "deny" } policy = Policy.from_json(policy_json) model = PolicyModel.from_policy(policy) new_policy = model.to_policy() assert policy.uid == new_policy.uid assert policy.description == new_policy.description assert policy.priority == new_policy.priority
def test_allow_access(self): policy_json = { "uid": "a", "description": "Policy create test", "rules": { "subject": { "$.uid": { "condition": "Eq", "value": 1.0 } }, "resource": [{ "$.name": { "condition": "Equals", "value": "test", "case_insensitive": False } }], "action": {}, "context": {} }, "targets": { "subject_id": ["abc", "a*"], "resource_id": ["123"], 'action_id': '*' }, "effect": "deny", "priority": 0 } policy = Policy.from_json(policy_json) assert not policy.is_allowed policy.effect = "allow" assert policy.is_allowed
def test_policy_create_existing(st): st.add( Policy.from_json({ "uid": "1", "rules": {}, "targets": {}, "effect": "deny" })) with pytest.raises(PolicyExistsError): st.add( Policy.from_json({ "uid": "1", "rules": {}, "targets": {}, "effect": "deny" }))
def test_to_doc(): policy_json = { "uid": "a381fdd3-b73a-4858-a57b-94085628b0f1", "description": "Block user 'Max' when ip in CIDR 192.168.1.0/24", "rules": { "subject": { "$.name": { "condition": "Equals", "value": "Max" } }, "context": { "$.ip": { "condition": "Not", "value": { "condition": "CIDR", "value": "192.168.1.0/24" } } } }, "targets": { "subject_id": "user::b90b2998-9e1b-4ac5-a743-b060b2634dbb" }, "effect": "deny" } policy = Policy.from_json(policy_json) policy_doc = { "_id": policy.uid, "policy_str": json.dumps(policy.to_json()), "tags": {} } model = PolicyModel.from_doc(policy_doc) new_policy_doc = model.to_doc() assert policy_doc == new_policy_doc
def st(): client = create_client() storage = MongoStorage(client, DB_NAME, collection=COLLECTION) for policy_json in POLICIES: storage.add(Policy.from_json(policy_json)) yield storage client[DB_NAME][COLLECTION].drop() client.close()
def test_delete(st): policy = Policy.from_json({"uid": "1", "rules": {}, "targets": {}, "effect": "deny"}) # Test non-existing st.delete('1') assert None is st.get('1') st.add(policy) assert '1' == st.get('1').uid st.delete('1') assert None is st.get('1')
def test_update_error(st): # Policy with UID 1 not present. with pytest.raises(ValueError): policy = Policy.from_json({ "uid": "1", "rules": {}, "targets": {}, "effect": "deny" }) st.update(policy)
def test_get_all(st, limit, offset, result): for i in range(200): st.add( Policy.from_json({ "uid": str(i), "rules": {}, "targets": {}, "effect": "deny" })) policies = list(st.get_all(limit, offset)) assert result == len(policies)
def test_find_for_target(st, request_json, num): st.add( Policy.from_json({ "uid": "1", "rules": {}, "targets": {}, "effect": "deny" })) st.add( Policy.from_json({ "uid": "2", "rules": {}, "targets": { "subject_id": "ab*" }, "effect": "deny" })) st.add( Policy.from_json({ "uid": "3", "rules": {}, "targets": { "subject_id": "a*b" }, "effect": "deny" })) st.add( Policy.from_json({ "uid": "4", "rules": {}, "targets": { "subject_id": "ab*c" }, "effect": "deny" })) request = AccessRequest.from_json(request_json) found = st.get_for_target(request._subject_id, request._resource_id, request._action_id) found = list(found) assert num == len(found)
def test_get_all_check_policy_properties(st): st.add( Policy.from_json({ "uid": "1", "description": "foo", "rules": {}, "targets": {}, "effect": "deny" })) policies = list(st.get_all(100, 0)) assert 1 == len(policies) assert '1' == policies[0].uid assert 'foo' == policies[0].description
def test_create(self): uid = uuid.uuid4() policy_json = { "uid": str(uid), "description": "Policy create test", "rules": { "subject": { "$.uid": { "condition": "Eq", "value": 1.0 } }, "resource": [{ "$.name": { "condition": "Equals", "value": "test", "case_insensitive": False } }], "action": {}, "context": {} }, "targets": { "subject_id": ["abc", "a*"], "resource_id": ["123"], 'action_id': '*' }, "effect": "deny", "priority": 0 } policy = Policy.from_json(policy_json) assert policy.to_json() == policy_json rules = policy.rules assert isinstance(rules, Rules) assert isinstance(rules.subject["$.uid"], Eq) assert rules.subject["$.uid"].value == 1.0 assert isinstance(rules.resource[0]["$.name"], Equals) assert rules.resource[0]["$.name"].value == "test" assert rules.action == {} assert rules.context == {} targets = policy.targets targets_json = policy_json["targets"] assert isinstance(targets, Targets) assert targets.subject_id == targets_json["subject_id"] assert targets.resource_id == targets_json["resource_id"] assert targets.action_id == "*"
def policy_model_assert(policy_model: PolicyModel, policy: Policy): """ Assert if the given policy model object `policy_model` is equal to the policy object `policy` """ def assert_targets(target_models: List[TargetModel], target_ids): _target_ids = target_ids if isinstance(target_ids, list) else [target_ids] assert len(target_models) == len(_target_ids) for x in range(len(_target_ids)): assert target_models[x].target_id.replace('%', '*') == _target_ids[x] assert policy_model.uid == policy.uid assert policy_model.json == policy.to_json() assert_targets(policy_model.actions, policy.targets.action_id) assert_targets(policy_model.subjects, policy.targets.subject_id) assert_targets(policy_model.resources, policy.targets.resource_id)
def test_from_policy(): policy_json = { "uid": "a381fdd3-b73a-4858-a57b-94085628b0f1", "description": "Block user 'Max' when ip in CIDR 192.168.1.0/24", "rules": { "subject": { "$.name": { "condition": "Equals", "value": "Max" } }, "context": { "$.ip": { "condition": "Not", "value": { "condition": "CIDR", "value": "192.168.1.0/24" } } } }, "targets": { "subject_id": "user::b90b2998-9e1b-4ac5-a743-b060b2634dbb" }, "effect": "deny" } policy = Policy.from_json(policy_json) model = PolicyModel.from_policy(policy) assert isinstance(model, PolicyModel) assert isinstance(model.policy_str, str) assert isinstance(model._id, str) assert isinstance(model.tags, dict) assert model.policy_str == json.dumps(policy.to_json()) assert model._id == policy.uid assert model.tags == { "subject": [{ "id": ["user::b90b2998-9e1b-4ac5-a743-b060b2634dbb"] }], "resource": [{ "id": ["*"] }], "action": [{ "id": ["*"] }] }
def test_from_policy(self): policy = Policy.from_json(self.POLICY_JSON) p_model = PolicyModel.from_policy(policy) policy_model_assert(p_model, policy)
def test_to_policy(self): policy = Policy.from_json(self.POLICY_JSON) p_model = PolicyModel.from_policy(policy) _policy = p_model.to_policy() assert policy.to_json() == _policy.to_json()
def test_get_filter(self): policy = Policy.from_json(self.POLICY_JSON) p_model = PolicyModel.from_policy(policy) _filter = p_model.get_filter("1", "1", "1") assert len(_filter) == 3
def test_create_policy_error(self, policy_json): with pytest.raises(PolicyCreateError): Policy.from_json(policy_json)
def test_fits(self, desc, policy_json, request_json, result): ctx = EvaluationContext(Request.from_json(request_json)) policy = Policy.from_json(policy_json) assert policy.fits(ctx) == result
def test__targets_to_tags(policy_json, tags): policy = Policy.from_json(policy_json) assert PolicyModel._targets_to_tags(policy.targets) == tags