def test_get_attribute_value():
request_json = {
"subject": {
"id": "a",
"attributes": {
"firstName": "Carl",
"lastName": "Right"
}
},
"resource": {
"id": "a",
"attributes": {
"name": "Calendar"
}
},
"action": {
"id": "",
"attributes": {}
},
"context": {}
}
request = AccessRequest.from_json(request_json)
ctx = EvaluationContext(request)
provider = RequestAttributeProvider(request)
assert request_json["subject"]["attributes"]["firstName"] == provider.get_attribute_value("subject", "$.firstName",
ctx)
assert request_json["subject"]["attributes"]["lastName"] == provider.get_attribute_value("subject", "$.lastName",
ctx)
assert provider.get_attribute_value("subject", "$.test", ctx) is None
assert request_json["resource"]["attributes"]["name"] == provider.get_attribute_value("resource", "$.name", ctx)
assert provider.get_attribute_value("resource", "$.test", ctx) is None
assert provider.get_attribute_value("action", "$.test", ctx) is None
assert provider.get_attribute_value("context", "$.test", ctx) is None
def test_is_satisfied(rules_json, result):
request_json = {
"subject": {
"id": "a",
"attributes": {
"firstName": "Carl",
"lastName": "Right"
}
},
"resource": {
"id": "a",
"attributes": {
"name": "Calendar"
}
},
"action": {
"id": "",
"attributes": {}
},
"context": {}
}
request = AccessRequest.from_json(request_json)
ctx = EvaluationContext(request)
rules = RulesSchema().load(rules_json)
assert rules.is_satisfied(ctx) == result
def test_create():
request_json = {
"subject": {
"id": "a",
"attributes": {
"firstName": "Carl",
"lastName": "Right"
}
},
"resource": {
"id": "a",
"attributes": {
"name": "Calendar"
}
},
"action": {
"id": "",
"attributes": {}
},
"context": {}
}
request = AccessRequest.from_json(request_json)
assert request_json["subject"]["id"] == request._subject_id
assert request_json["resource"]["id"] == request._resource_id
assert request_json["action"]["id"] == request._action_id
# Check backward compatibility
request = Request.from_json(request_json)
assert request_json["subject"]["id"] == request._subject_id
assert request_json["resource"]["id"] == request._resource_id
assert request_json["action"]["id"] == request._action_id
def test_invalid_attribute_path_error():
request_json = {
"subject": {
"id": "a",
"attributes": {
"firstName": "Carl",
"lastName": "Right"
}
},
"resource": {
"id": "a",
"attributes": {
"name": "Calendar"
}
},
"action": {
"id": "",
"attributes": {}
},
"context": {}
}
request = AccessRequest.from_json(request_json)
ctx = EvaluationContext(request)
provider = RequestAttributeProvider(request)
with pytest.raises(InvalidAttributePathError):
provider.get_attribute_value("subject", ")", ctx)
def test_match(targets_json, result):
request_json = {
"subject": {
"id": "abc",
"attributes": {
"firstName": "Carl",
"lastName": "Right"
}
},
"resource": {
"id": "12",
"attributes": {
"name": "Calendar"
}
},
"action": {
"id": ">",
"attributes": {}
},
"context": {}
}
request = AccessRequest.from_json(request_json)
ctx = EvaluationContext(request)
targets = TargetsSchema().load(targets_json)
assert targets.match(ctx) == result
def test_get_attribute_value():
request_json = {
"subject": {
"id": "a",
"attributes": {
"firstName": "Carl",
"lastName": "Right",
"middleName": ""
}
},
"resource": {
"id": "a",
"attributes": {
"name": "Calendar"
}
},
"action": {
"id": "",
"attributes": {}
},
"context": {}
}
request = AccessRequest.from_json(request_json)
context = EvaluationContext(request, providers=[EmailAttributeProvider()])
assert context.get_attribute_value("subject", "$.firstName") == "Carl"
assert context.get_attribute_value("subject", "$.middleName") == ""
assert context.get_attribute_value("subject",
"$.email") == "*****@*****.**"
assert context.get_attribute_value("resource", "$.name") == "Calendar"
assert context.get_attribute_value("context", "$.ip") is None
def test_attribute_value_raises():
request_json = {
"subject": {
"id": "a",
"attributes": {
"firstName": "Carl",
"lastName": "Right"
}
},
"resource": {
"id": "a",
"attributes": {
"name": "Calendar"
}
},
"action": {
"id": "",
"attributes": {}
},
"context": {}
}
request = AccessRequest.from_json(request_json)
context = EvaluationContext(request)
with pytest.raises(InvalidAccessControlElementError):
_ = context.attribute_value
context.ace = "test"
with pytest.raises(InvalidAccessControlElementError):
_ = context.attribute_value
context.ace = "subject"
context.attribute_path = ")"
with pytest.raises(InvalidAttributePathError):
_ = context.attribute_value
def test_attribute_provider_infinite_recursion():
request_json = {
"subject": {
"id": "a",
"attributes": {
"firstName": "Carl",
"lastName": "Right"
}
},
"resource": {
"id": "a",
"attributes": {
"name": "Calendar"
}
},
"action": {
"id": "",
"attributes": {}
},
"context": {}
}
request = AccessRequest.from_json(request_json)
context = EvaluationContext(request, providers=[FaultyAttributeProvider()])
assert context.get_attribute_value("subject", "$.email") is None
context = EvaluationContext(request,
providers=[
FaultyAttributeProvider(),
EmailAttributeProvider(),
FaultyAttributeProvider(),
EmailAttributeProvider(),
FaultyAttributeProvider()
])
assert context.get_attribute_value("subject", "$.age") is None
def test_is_satisfied(self, condition, what, result):
request = AccessRequest(subject={"attributes": {"what": what}},
resource={"attributes": {"name": {"what": what}}},
action={}, context={})
ctx = EvaluationContext(request)
ctx.ace = "subject"
ctx.attribute_path = "$.what"
assert condition.is_satisfied(ctx) == result
def test_create():
request_json = {
"subject": {
"id": "a",
"attributes": {
"firstName": "Carl",
"lastName": "Right",
"middleName": ""
}
},
"resource": {
"id": "a",
"attributes": {
"name": "Calendar"
}
},
"action": {
"id": "",
"attributes": {}
},
"context": {}
}
request = AccessRequest.from_json(request_json)
context = EvaluationContext(request)
assert context.subject_id == request._subject_id
assert context.resource_id == request._resource_id
assert context.action_id == request._action_id
assert context._other_providers == []
assert context.ace is None
assert context.attribute_path is None
context.ace = "subject"
context.attribute_path = "$.firstName"
assert context.attribute_value == "Carl"
context.attribute_path = "$.lastName"
assert context.attribute_value == "Right"
context.attribute_path = "$.middleName"
assert context.attribute_value == ""
context.ace = "resource"
context.attribute_path = "$.name"
assert context.attribute_value == "Calendar"
def test_find_for_target(st, request_json, num):
st.add(
Policy.from_json({
"uid": "1",
"rules": {},
"targets": {},
"effect": "deny"
}))
st.add(
Policy.from_json({
"uid": "2",
"rules": {},
"targets": {
"subject_id": "ab*"
},
"effect": "deny"
}))
st.add(
Policy.from_json({
"uid": "3",
"rules": {},
"targets": {
"subject_id": "a*b"
},
"effect": "deny"
}))
st.add(
Policy.from_json({
"uid": "4",
"rules": {},
"targets": {
"subject_id": "ab*c"
},
"effect": "deny"
}))
request = AccessRequest.from_json(request_json)
found = st.get_for_target(request._subject_id, request._resource_id,
request._action_id)
found = list(found)
assert num == len(found)
def test_create_error(request_json):
with pytest.raises(RequestCreateError):
AccessRequest.from_json(request_json)
def test_is_allowed_highest_priority(st, desc, request_json, should_be_allowed):
pdp = PDP(st, EvaluationAlgorithm.HIGHEST_PRIORITY, [EmailsAttributeProvider()])
request = AccessRequest.from_json(request_json)
assert should_be_allowed == pdp.is_allowed(request)
def test_is_allowed_allow_overrides(st, desc, request_json, should_be_allowed):
pdp = PDP(st, EvaluationAlgorithm.ALLOW_OVERRIDES, [EmailsAttributeProvider()])
request = AccessRequest.from_json(request_json)
assert should_be_allowed == pdp.is_allowed(request)
def test_fits(self, desc, policy_json, request_json, result):
ctx = EvaluationContext(AccessRequest.from_json(request_json))
policy = Policy.from_json(policy_json)
assert policy.fits(ctx) == result