def test_resource_policies(self):
gc = Mock()
resource_id = 'resource_key'
pdpm = PolicyDecisionPointManager(gc)
# see that the PDP for resource is empty
self.assertEqual(pdpm.get_resource_pdp(resource_id), pdpm.empty_pdp)
pdpm.load_resource_policy_rules(resource_id, self.permit_ION_MANAGER_rule)
# see that the PDP for resource is not empty anymore
self.assertNotEqual(pdpm.get_resource_pdp(resource_id), pdpm.empty_pdp)
# check request without a resource_id raises NotFound error
self.invocation = Mock()
with self.assertRaises(NotFound) as chk_res:
pdpm.check_resource_request_policies(self.invocation, None)
self.assertIn(chk_res.exception.message, 'The resource_id is not set')
# check that, because actor does not have ION_MANAGER role, policy evaluates to a denial
# (really Not Applicable, because of the inelegant hack of a policy we are setting up our pdp with)
mock_header = Mock()
self.invocation.headers = {'op': 'op', 'process': 'process', 'request': 'request', 'ion-actor-id': 'ion-actor-id', 'receiver': 'resource-registry',
'sender-type': 'sender-type', 'sender-service': 'sender-service', 'ion-actor-roles': {'org_name': ['ion-actor-roles']}}
def get_header_value(key, default):
return self.invocation.headers.get(key, default)
mock_header.side_effect = get_header_value
self.invocation.get_header_value = mock_header
mock_args = Mock()
process = Mock()
process.org_name = 'org_name'
self.invocation.args = {'process': process}
def get_arg_value(key, default):
return self.invocation.args.get(key, default)
mock_args.side_effect = get_arg_value
self.invocation.get_arg_value = mock_args
gc.system_root_org_name = 'sys_org_name'
response = pdpm.check_resource_request_policies(self.invocation, resource_id)
self.assertEqual(response.value, "NotApplicable")
# check that policy evaluates to Permit because actor has ION_MANAGER role
self.invocation.headers = {'op': 'op', 'process': 'process', 'request': 'request', 'ion-actor-id': 'ion-actor-id', 'receiver': 'resource-registry',
'sender-type': 'sender-type', 'sender-service': 'sender-service', 'ion-actor-roles': {'sys_org_name': ['ION_MANAGER']}}
response = pdpm.check_resource_request_policies(self.invocation, resource_id)
self.assertEqual(response.value, "Permit")
def test_resource_policies(self):
gc = Mock()
resource_id = "resource_key"
pdpm = PolicyDecisionPointManager(gc)
# see that the PDP for resource is empty
self.assertEqual(pdpm.get_resource_pdp(resource_id), pdpm.empty_pdp)
pdpm.set_resource_policy_rules(resource_id, self.permit_SUPERUSER_rule)
# see that the PDP for resource is not empty anymore
self.assertNotEqual(pdpm.get_resource_pdp(resource_id), pdpm.empty_pdp)
# check request without a resource_id raises NotFound error
invocation = MagicMock()
invocation.message_annotations = {}
with self.assertRaises(NotFound) as chk_res:
pdpm.check_resource_request_policies(invocation, None)
self.assertIn(chk_res.exception.message, "The resource_id is not set")
# (really Not Applicable, because of the inelegant hack of a policy we are setting up our pdp with)
mock_header = Mock()
def get_header_value(key, default):
return invocation.headers.get(key, default)
mock_header.side_effect = get_header_value
invocation.get_header_value = mock_header
mock_args = Mock()
class MockProcess(Mock):
def check_test_value(self, process, message, headers):
if message["argument1"] > 3:
return False, "The value of argument1 is larger than 3"
return True, ""
mock_process = MockProcess()
mock_process.org_governance_name = "org_name"
invocation.args = {"process": mock_process}
def get_arg_value(key, default):
return invocation.args.get(key, default)
mock_args.side_effect = get_arg_value
invocation.get_arg_value = mock_args
# check that, because actor does not have SUPERUSER role, policy evaluates to a denial
invocation.message_annotations = {}
invocation.message = {"argument1": 0}
invocation.headers = {
"op": "op",
"process": mock_process,
"request": "request",
"ion-actor-id": "ion-actor-id",
"receiver": "resource-registry",
"sender-type": "sender-type",
"sender-service": "sender-service",
"ion-actor-roles": {"org_name": ["ion-actor-roles"]},
}
invocation.get_message_sender.return_value = ["Unknown", "Unknown"]
gc.system_root_org_name = "sys_org_name"
response = pdpm.check_resource_request_policies(invocation, resource_id)
self.assertEqual(response.value, "NotApplicable")
# check that policy evaluates to Permit because actor has SUPERUSER role
invocation.headers = {
"op": "op",
"process": mock_process,
"request": "request",
"ion-actor-id": "ion-actor-id",
"receiver": "resource-registry",
"sender-type": "sender-type",
"sender-service": "sender-service",
"ion-actor-roles": {"sys_org_name": ["SUPERUSER"]},
}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(invocation, resource_id)
self.assertEqual(response.value, "Permit")
pdpm.set_resource_policy_rules(resource_id, self.deny_message_parameter_rule)
invocation.message = {"argument1": 0}
invocation.headers = {
"op": "op",
"process": mock_process,
"request": "request",
"ion-actor-id": "ion-actor-id",
"receiver": "resource-registry",
"sender-type": "sender-type",
"sender-service": "sender-service",
"ion-actor-roles": {"sys_org_name": ["SUPERUSER"]},
}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(invocation, resource_id)
self.assertEqual(response.value, "Deny")
self.assertTrue("POLICY_STATUS_REASON" in invocation.message_annotations)
self.assertEqual(
invocation.message_annotations["POLICY_STATUS_REASON"], "The value of argument1 is less than or equal to 3"
)
invocation.message = {"argument1": 5}
invocation.headers = {
"op": "op",
"process": mock_process,
"request": "request",
"ion-actor-id": "ion-actor-id",
"receiver": "resource-registry",
"sender-type": "sender-type",
"sender-service": "sender-service",
"ion-actor-roles": {"sys_org_name": ["SUPERUSER"]},
}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(invocation, resource_id)
self.assertEqual(response.value, "Permit")
self.assertFalse("POLICY_STATUS_REASON" in invocation.message_annotations)
pdpm.set_resource_policy_rules(resource_id, self.deny_message_parameter_function_rule)
invocation.message = {"argument1": 0}
invocation.headers = {
"op": "op",
"process": mock_process,
"request": "request",
"ion-actor-id": "ion-actor-id",
"receiver": "resource-registry",
"sender-type": "sender-type",
"sender-service": "sender-service",
"ion-actor-roles": {"sys_org_name": ["SUPERUSER"]},
}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(invocation, resource_id)
self.assertEqual(response.value, "Permit")
self.assertFalse("POLICY_STATUS_REASON" in invocation.message_annotations)
invocation.message = {"argument1": 5}
invocation.headers = {
"op": "op",
"process": mock_process,
"request": "request",
"ion-actor-id": "ion-actor-id",
"receiver": "resource-registry",
"sender-type": "sender-type",
"sender-service": "sender-service",
"ion-actor-roles": {"sys_org_name": ["SUPERUSER"]},
}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(invocation, resource_id)
self.assertTrue("POLICY_STATUS_REASON" in invocation.message_annotations)
self.assertEqual(
invocation.message_annotations["POLICY_STATUS_REASON"], "The value of argument1 is larger than 3"
)
def test_resource_policies(self):
gc = Mock()
resource_id = 'resource_key'
pdpm = PolicyDecisionPointManager(gc)
# see that the PDP for resource is empty
self.assertEqual(pdpm.get_resource_pdp(resource_id), pdpm.empty_pdp)
pdpm.set_resource_policy_rules(resource_id, self.permit_SUPERUSER_rule)
# see that the PDP for resource is not empty anymore
self.assertNotEqual(pdpm.get_resource_pdp(resource_id), pdpm.empty_pdp)
# check request without a resource_id raises NotFound error
invocation = MagicMock()
invocation.message_annotations = {}
with self.assertRaises(NotFound) as chk_res:
pdpm.check_resource_request_policies(invocation, None)
self.assertIn(chk_res.exception.message, 'The resource_id is not set')
# (really Not Applicable, because of the inelegant hack of a policy we are setting up our pdp with)
mock_header = Mock()
def get_header_value(key, default):
return invocation.headers.get(key, default)
mock_header.side_effect = get_header_value
invocation.get_header_value = mock_header
mock_args = Mock()
class MockProcess(Mock):
def check_test_value(self, process, message, headers):
if message['argument1'] > 3:
return False, 'The value of argument1 is larger than 3'
return True, ''
mock_process = MockProcess()
mock_process.org_governance_name = 'org_name'
invocation.args = {'process': mock_process}
def get_arg_value(key, default):
return invocation.args.get(key, default)
mock_args.side_effect = get_arg_value
invocation.get_arg_value = mock_args
# check that, because actor does not have SUPERUSER role, policy evaluates to a denial
invocation.message_annotations = {}
invocation.message = {'argument1': 0}
invocation.headers = {
'op': 'op',
'process': mock_process,
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'sender-service',
'ion-actor-roles': {
'org_name': ['ion-actor-roles']
}
}
invocation.get_message_sender.return_value = ['Unknown', 'Unknown']
gc.system_root_org_name = 'sys_org_name'
response = pdpm.check_resource_request_policies(
invocation, resource_id)
self.assertEqual(response.value, "NotApplicable")
# check that policy evaluates to Permit because actor has SUPERUSER role
invocation.headers = {
'op': 'op',
'process': mock_process,
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'sender-service',
'ion-actor-roles': {
'sys_org_name': ['SUPERUSER']
}
}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(
invocation, resource_id)
self.assertEqual(response.value, "Permit")
pdpm.set_resource_policy_rules(resource_id,
self.deny_message_parameter_rule)
invocation.message = {'argument1': 0}
invocation.headers = {
'op': 'op',
'process': mock_process,
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'sender-service',
'ion-actor-roles': {
'sys_org_name': ['SUPERUSER']
}
}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(
invocation, resource_id)
self.assertEqual(response.value, "Deny")
self.assertTrue(
'POLICY_STATUS_REASON' in invocation.message_annotations)
self.assertEqual(
invocation.message_annotations['POLICY_STATUS_REASON'],
'The value of argument1 is less than or equal to 3')
invocation.message = {'argument1': 5}
invocation.headers = {
'op': 'op',
'process': mock_process,
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'sender-service',
'ion-actor-roles': {
'sys_org_name': ['SUPERUSER']
}
}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(
invocation, resource_id)
self.assertEqual(response.value, "Permit")
self.assertFalse(
'POLICY_STATUS_REASON' in invocation.message_annotations)
pdpm.set_resource_policy_rules(
resource_id, self.deny_message_parameter_function_rule)
invocation.message = {'argument1': 0}
invocation.headers = {
'op': 'op',
'process': mock_process,
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'sender-service',
'ion-actor-roles': {
'sys_org_name': ['SUPERUSER']
}
}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(
invocation, resource_id)
self.assertEqual(response.value, "Permit")
self.assertFalse(
'POLICY_STATUS_REASON' in invocation.message_annotations)
invocation.message = {'argument1': 5}
invocation.headers = {
'op': 'op',
'process': mock_process,
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'sender-service',
'ion-actor-roles': {
'sys_org_name': ['SUPERUSER']
}
}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(
invocation, resource_id)
self.assertTrue(
'POLICY_STATUS_REASON' in invocation.message_annotations)
self.assertEqual(
invocation.message_annotations['POLICY_STATUS_REASON'],
'The value of argument1 is larger than 3')
def test_resource_policies(self):
gc = Mock()
resource_id = 'resource_key'
pdpm = PolicyDecisionPointManager(gc)
# see that the PDP for resource is empty
self.assertEqual(pdpm.get_resource_pdp(resource_id), pdpm.empty_pdp)
pdpm.load_resource_policy_rules(resource_id, self.permit_ION_MANAGER_rule )
# see that the PDP for resource is not empty anymore
self.assertNotEqual(pdpm.get_resource_pdp(resource_id), pdpm.empty_pdp)
# check request without a resource_id raises NotFound error
invocation = MagicMock()
invocation.message_annotations = {}
with self.assertRaises(NotFound) as chk_res:
pdpm.check_resource_request_policies(invocation, None)
self.assertIn(chk_res.exception.message, 'The resource_id is not set')
# (really Not Applicable, because of the inelegant hack of a policy we are setting up our pdp with)
mock_header = Mock()
def get_header_value(key, default):
return invocation.headers.get(key, default)
mock_header.side_effect = get_header_value
invocation.get_header_value = mock_header
mock_args = Mock()
class MockProcess(Mock):
def check_test_value(self, process, message, headers):
if message['argument1'] > 3:
return False, 'The value of argument1 is larger than 3'
return True, ''
mock_process = MockProcess()
mock_process.org_governance_name = 'org_name'
invocation.args = {'process': mock_process}
def get_arg_value(key, default):
return invocation.args.get(key, default)
mock_args.side_effect = get_arg_value
invocation.get_arg_value = mock_args
# check that, because actor does not have ION_MANAGER role, policy evaluates to a denial
invocation.message_annotations = {}
invocation.message = {'argument1': 0}
invocation.headers = {'op': 'op', 'process': mock_process, 'request': 'request', 'ion-actor-id': 'ion-actor-id', 'receiver': 'resource-registry',
'sender-type': 'sender-type', 'sender-service': 'sender-service', 'ion-actor-roles': {'org_name': ['ion-actor-roles']}}
invocation.get_message_sender.return_value = ['Unknown','Unknown']
gc.system_root_org_name = 'sys_org_name'
response = pdpm.check_resource_request_policies(invocation, resource_id)
self.assertEqual(response.value, "NotApplicable")
# check that policy evaluates to Permit because actor has ION_MANAGER role
invocation.headers = {'op': 'op', 'process': mock_process, 'request': 'request', 'ion-actor-id': 'ion-actor-id', 'receiver': 'resource-registry',
'sender-type': 'sender-type', 'sender-service': 'sender-service', 'ion-actor-roles': {'sys_org_name': ['ION_MANAGER']}}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(invocation, resource_id)
self.assertEqual(response.value, "Permit")
pdpm.load_resource_policy_rules(resource_id, self.deny_message_parameter_rule)
invocation.message = {'argument1': 0}
invocation.headers = {'op': 'op', 'process': mock_process, 'request': 'request', 'ion-actor-id': 'ion-actor-id', 'receiver': 'resource-registry',
'sender-type': 'sender-type', 'sender-service': 'sender-service', 'ion-actor-roles': {'sys_org_name': ['ION_MANAGER']}}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(invocation, resource_id)
self.assertEqual(response.value, "Deny")
self.assertEqual(invocation.message_annotations.has_key('POLICY_STATUS_REASON'), True)
self.assertEqual(invocation.message_annotations['POLICY_STATUS_REASON'],'The value of argument1 is less than or equal to 3')
invocation.message = {'argument1': 5}
invocation.headers = {'op': 'op', 'process': mock_process, 'request': 'request', 'ion-actor-id': 'ion-actor-id', 'receiver': 'resource-registry',
'sender-type': 'sender-type', 'sender-service': 'sender-service', 'ion-actor-roles': {'sys_org_name': ['ION_MANAGER']}}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(invocation, resource_id)
self.assertEqual(response.value, "Permit")
self.assertEqual(invocation.message_annotations.has_key('POLICY_STATUS_REASON'), False)
pdpm.load_resource_policy_rules(resource_id, self.deny_message_parameter_function_rule)
invocation.message = {'argument1': 0}
invocation.headers = {'op': 'op', 'process': mock_process, 'request': 'request', 'ion-actor-id': 'ion-actor-id', 'receiver': 'resource-registry',
'sender-type': 'sender-type', 'sender-service': 'sender-service', 'ion-actor-roles': {'sys_org_name': ['ION_MANAGER']}}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(invocation, resource_id)
self.assertEqual(response.value, "Permit")
self.assertEqual(invocation.message_annotations.has_key('POLICY_STATUS_REASON'), False)
invocation.message = {'argument1': 5}
invocation.headers = {'op': 'op', 'process': mock_process, 'request': 'request', 'ion-actor-id': 'ion-actor-id', 'receiver': 'resource-registry',
'sender-type': 'sender-type', 'sender-service': 'sender-service', 'ion-actor-roles': {'sys_org_name': ['ION_MANAGER']}}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(invocation, resource_id)
self.assertEqual(invocation.message_annotations.has_key('POLICY_STATUS_REASON'), True)
self.assertEqual(invocation.message_annotations['POLICY_STATUS_REASON'],'The value of argument1 is larger than 3')
