def initialize_from_config(self, config):
self.governance_dispatcher = GovernanceDispatcher()
self.policy_decision_point_manager = PolicyDecisionPointManager(self)
if 'interceptor_order' in config:
self.interceptor_order = config['interceptor_order']
if 'governance_interceptors' in config:
gov_ints = config['governance_interceptors']
for name in gov_ints:
interceptor_def = gov_ints[name]
# Instantiate and put in by_name array
parts = interceptor_def["class"].split('.')
modpath = ".".join(parts[:-1])
classname = parts[-1]
module = __import__(modpath, fromlist=[classname])
classobj = getattr(module, classname)
classinst = classobj()
# Put in by_name_dict for possible re-use
self.interceptor_by_name_dict[name] = classinst
def initialize_from_config(self, config):
self.governance_dispatcher = GovernanceDispatcher()
self.policy_decision_point_manager = PolicyDecisionPointManager(self)
self.interceptor_order = config.get('interceptor_order', None) or []
gov_ints = config.get('governance_interceptors', None) or {}
for name in gov_ints:
interceptor_def = gov_ints[name]
classobj = named_any(interceptor_def["class"])
classinst = classobj()
self.interceptor_by_name_dict[name] = classinst
def test_agent_policies(self):
# set up data
gc = Mock()
service_key = 'service_key'
resource_id = 'resource_id'
pdpm = PolicyDecisionPointManager(gc)
invocation = Mock()
mock_header = Mock()
invocation.message_annotations = {}
invocation.message = {'argument1': 0}
invocation.headers = {
'op': 'op',
'process': 'process',
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'Unknown',
'ion-actor-roles': {
'org_name': ['SUPERUSER']
}
}
invocation.get_message_receiver.return_value = 'service_key'
invocation.get_service_name.return_value = 'Unknown'
invocation.get_message_sender.return_value = ['Unknown', 'Unknown']
def get_header_value(key, default):
return invocation.headers.get(key, default)
mock_header.side_effect = get_header_value
invocation.get_header_value = mock_header
mock_args = Mock()
process = Mock()
process.org_governance_name = 'org_name'
process.resource_id = 'resource_id'
invocation.args = {'process': process}
def get_arg_value(key, default='Unknown'):
return invocation.args.get(key, default)
mock_args.side_effect = get_arg_value
invocation.get_arg_value = mock_args
gc.system_root_org_name = 'sys_org_name'
# check that service policies result in denying the request
pdpm.set_service_policy_rules(service_key, self.deny_SUPERUSER_rule)
pdpm.set_resource_policy_rules(resource_id, self.permit_SUPERUSER_rule)
response = pdpm.check_agent_request_policies(invocation)
self.assertEqual(response.value, "Deny")
# check that resource policies result in denying the request
pdpm.set_service_policy_rules(service_key, self.permit_SUPERUSER_rule)
pdpm.set_resource_policy_rules(resource_id, self.deny_SUPERUSER_rule)
response = pdpm.check_agent_request_policies(invocation)
self.assertEqual(response.value, "Deny")
# check that both service and resource policies need to allow a request
pdpm.set_service_policy_rules(service_key, self.permit_SUPERUSER_rule)
pdpm.set_resource_policy_rules(resource_id, self.permit_SUPERUSER_rule)
response = pdpm.check_agent_request_policies(invocation)
self.assertEqual(response.value, "Permit")
def test_service_policies(self):
gc = Mock()
service_key = 'service_key'
pdpm = PolicyDecisionPointManager(gc)
# see that the PDP for service is the default
self.assertEqual(pdpm.get_service_pdp(service_key),
pdpm.load_common_service_pdp)
pdpm.set_service_policy_rules(service_key, self.permit_SUPERUSER_rule)
# see that the PDP for service is not the default anymore
self.assertNotEqual(pdpm.get_service_pdp(service_key),
pdpm.load_common_service_pdp)
# check request without a service_key raises NotFound error
invocation = Mock()
invocation.message_annotations = {}
invocation.get_message_receiver.return_value = None
with self.assertRaises(NotFound) as chk_res:
pdpm.check_service_request_policies(invocation)
self.assertIn(chk_res.exception.message,
'No receiver for this message')
# check that, because actor does not have SUPERUSER role, policy evaluates to a denial
# (really Not Applicable, because of the inelegant hack of a policy we are setting up our pdp with)
mock_header = Mock()
invocation.message_annotations = {}
invocation.message = {'argument1': 0}
invocation.headers = {
'op': 'op',
'process': 'process',
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'Unknown',
'ion-actor-roles': {
'org_name': ['ion-actor-roles']
}
}
invocation.get_message_receiver.return_value = 'service_key'
invocation.get_service_name.return_value = 'Unknown'
invocation.get_message_sender.return_value = ['Unknown', 'Unknown']
def get_header_value(key, default):
return invocation.headers.get(key, default)
mock_header.side_effect = get_header_value
invocation.get_header_value = mock_header
mock_args = Mock()
process = Mock()
process.org_governance_name = 'org_name'
invocation.args = {'process': process}
def get_arg_value(key, default):
return invocation.args.get(key, default)
mock_args.side_effect = get_arg_value
invocation.get_arg_value = mock_args
gc.system_root_org_name = 'sys_org_name'
response = pdpm.check_service_request_policies(invocation)
self.assertEqual(response.value, "NotApplicable")
# check that policy evaluates to Permit because actor has SUPERUSER role
invocation.message_annotations = {}
invocation.headers = {
'op': 'op',
'process': 'process',
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'sender-service',
'ion-actor-roles': {
'sys_org_name': ['SUPERUSER']
}
}
response = pdpm.check_service_request_policies(invocation)
self.assertEqual(response.value, "Permit")
def test_resource_policies(self):
gc = Mock()
resource_id = 'resource_key'
pdpm = PolicyDecisionPointManager(gc)
# see that the PDP for resource is empty
self.assertEqual(pdpm.get_resource_pdp(resource_id), pdpm.empty_pdp)
pdpm.set_resource_policy_rules(resource_id, self.permit_SUPERUSER_rule)
# see that the PDP for resource is not empty anymore
self.assertNotEqual(pdpm.get_resource_pdp(resource_id), pdpm.empty_pdp)
# check request without a resource_id raises NotFound error
invocation = MagicMock()
invocation.message_annotations = {}
with self.assertRaises(NotFound) as chk_res:
pdpm.check_resource_request_policies(invocation, None)
self.assertIn(chk_res.exception.message, 'The resource_id is not set')
# (really Not Applicable, because of the inelegant hack of a policy we are setting up our pdp with)
mock_header = Mock()
def get_header_value(key, default):
return invocation.headers.get(key, default)
mock_header.side_effect = get_header_value
invocation.get_header_value = mock_header
mock_args = Mock()
class MockProcess(Mock):
def check_test_value(self, process, message, headers):
if message['argument1'] > 3:
return False, 'The value of argument1 is larger than 3'
return True, ''
mock_process = MockProcess()
mock_process.org_governance_name = 'org_name'
invocation.args = {'process': mock_process}
def get_arg_value(key, default):
return invocation.args.get(key, default)
mock_args.side_effect = get_arg_value
invocation.get_arg_value = mock_args
# check that, because actor does not have SUPERUSER role, policy evaluates to a denial
invocation.message_annotations = {}
invocation.message = {'argument1': 0}
invocation.headers = {
'op': 'op',
'process': mock_process,
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'sender-service',
'ion-actor-roles': {
'org_name': ['ion-actor-roles']
}
}
invocation.get_message_sender.return_value = ['Unknown', 'Unknown']
gc.system_root_org_name = 'sys_org_name'
response = pdpm.check_resource_request_policies(
invocation, resource_id)
self.assertEqual(response.value, "NotApplicable")
# check that policy evaluates to Permit because actor has SUPERUSER role
invocation.headers = {
'op': 'op',
'process': mock_process,
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'sender-service',
'ion-actor-roles': {
'sys_org_name': ['SUPERUSER']
}
}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(
invocation, resource_id)
self.assertEqual(response.value, "Permit")
pdpm.set_resource_policy_rules(resource_id,
self.deny_message_parameter_rule)
invocation.message = {'argument1': 0}
invocation.headers = {
'op': 'op',
'process': mock_process,
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'sender-service',
'ion-actor-roles': {
'sys_org_name': ['SUPERUSER']
}
}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(
invocation, resource_id)
self.assertEqual(response.value, "Deny")
self.assertTrue(
'POLICY_STATUS_REASON' in invocation.message_annotations)
self.assertEqual(
invocation.message_annotations['POLICY_STATUS_REASON'],
'The value of argument1 is less than or equal to 3')
invocation.message = {'argument1': 5}
invocation.headers = {
'op': 'op',
'process': mock_process,
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'sender-service',
'ion-actor-roles': {
'sys_org_name': ['SUPERUSER']
}
}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(
invocation, resource_id)
self.assertEqual(response.value, "Permit")
self.assertFalse(
'POLICY_STATUS_REASON' in invocation.message_annotations)
pdpm.set_resource_policy_rules(
resource_id, self.deny_message_parameter_function_rule)
invocation.message = {'argument1': 0}
invocation.headers = {
'op': 'op',
'process': mock_process,
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'sender-service',
'ion-actor-roles': {
'sys_org_name': ['SUPERUSER']
}
}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(
invocation, resource_id)
self.assertEqual(response.value, "Permit")
self.assertFalse(
'POLICY_STATUS_REASON' in invocation.message_annotations)
invocation.message = {'argument1': 5}
invocation.headers = {
'op': 'op',
'process': mock_process,
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'sender-service',
'ion-actor-roles': {
'sys_org_name': ['SUPERUSER']
}
}
invocation.message_annotations = {}
response = pdpm.check_resource_request_policies(
invocation, resource_id)
self.assertTrue(
'POLICY_STATUS_REASON' in invocation.message_annotations)
self.assertEqual(
invocation.message_annotations['POLICY_STATUS_REASON'],
'The value of argument1 is larger than 3')
