def test_service_policies(self):
gc = Mock()
service_key = 'service_key'
pdpm = PolicyDecisionPointManager(gc)
# see that the PDP for service is the default
self.assertEqual(pdpm.get_service_pdp(service_key), pdpm.load_common_service_pdp)
pdpm.load_service_policy_rules(service_key, self.permit_ION_MANAGER_rule)
# see that the PDP for service is not the default anymore
self.assertNotEqual(pdpm.get_service_pdp(service_key), pdpm.load_common_service_pdp)
# check request without a service_key raises NotFound error
invocation = Mock()
invocation.message_annotations = {}
invocation.get_message_receiver.return_value = None
with self.assertRaises(NotFound) as chk_res:
pdpm.check_service_request_policies(invocation)
self.assertIn(chk_res.exception.message, 'No receiver for this message')
# check that, because actor does not have ION_MANAGER role, policy evaluates to a denial
# (really Not Applicable, because of the inelegant hack of a policy we are setting up our pdp with)
mock_header = Mock()
invocation.message_annotations = {}
invocation.message = {'argument1': 0}
invocation.headers = {'op': 'op', 'process': 'process', 'request': 'request', 'ion-actor-id': 'ion-actor-id', 'receiver': 'resource-registry',
'sender-type': 'sender-type', 'sender-service': 'Unknown', 'ion-actor-roles': {'org_name': ['ion-actor-roles']}}
invocation.get_message_receiver.return_value = 'service_key'
invocation.get_service_name.return_value = 'Unknown'
invocation.get_message_sender.return_value = ['Unknown','Unknown']
def get_header_value(key, default):
return invocation.headers.get(key, default)
mock_header.side_effect = get_header_value
invocation.get_header_value = mock_header
mock_args = Mock()
process = Mock()
process.org_governance_name = 'org_name'
invocation.args = {'process': process}
def get_arg_value(key, default):
return invocation.args.get(key, default)
mock_args.side_effect = get_arg_value
invocation.get_arg_value = mock_args
gc.system_root_org_name = 'sys_org_name'
response = pdpm.check_service_request_policies(invocation)
self.assertEqual(response.value, "NotApplicable")
# check that policy evaluates to Permit because actor has ION_MANAGER role
invocation.message_annotations = {}
invocation.headers = {'op': 'op', 'process': 'process', 'request': 'request', 'ion-actor-id': 'ion-actor-id', 'receiver': 'resource-registry',
'sender-type': 'sender-type', 'sender-service': 'sender-service', 'ion-actor-roles': {'sys_org_name': ['ION_MANAGER']}}
response = pdpm.check_service_request_policies(invocation)
self.assertEqual(response.value, "Permit")
def test_service_policies(self):
gc = Mock()
service_key = "service_key"
pdpm = PolicyDecisionPointManager(gc)
# see that the PDP for service is the default
self.assertEqual(pdpm.get_service_pdp(service_key), pdpm.load_common_service_pdp)
pdpm.set_service_policy_rules(service_key, self.permit_SUPERUSER_rule)
# see that the PDP for service is not the default anymore
self.assertNotEqual(pdpm.get_service_pdp(service_key), pdpm.load_common_service_pdp)
# check request without a service_key raises NotFound error
invocation = Mock()
invocation.message_annotations = {}
invocation.get_message_receiver.return_value = None
with self.assertRaises(NotFound) as chk_res:
pdpm.check_service_request_policies(invocation)
self.assertIn(chk_res.exception.message, "No receiver for this message")
# check that, because actor does not have SUPERUSER role, policy evaluates to a denial
# (really Not Applicable, because of the inelegant hack of a policy we are setting up our pdp with)
mock_header = Mock()
invocation.message_annotations = {}
invocation.message = {"argument1": 0}
invocation.headers = {
"op": "op",
"process": "process",
"request": "request",
"ion-actor-id": "ion-actor-id",
"receiver": "resource-registry",
"sender-type": "sender-type",
"sender-service": "Unknown",
"ion-actor-roles": {"org_name": ["ion-actor-roles"]},
}
invocation.get_message_receiver.return_value = "service_key"
invocation.get_service_name.return_value = "Unknown"
invocation.get_message_sender.return_value = ["Unknown", "Unknown"]
def get_header_value(key, default):
return invocation.headers.get(key, default)
mock_header.side_effect = get_header_value
invocation.get_header_value = mock_header
mock_args = Mock()
process = Mock()
process.org_governance_name = "org_name"
invocation.args = {"process": process}
def get_arg_value(key, default):
return invocation.args.get(key, default)
mock_args.side_effect = get_arg_value
invocation.get_arg_value = mock_args
gc.system_root_org_name = "sys_org_name"
response = pdpm.check_service_request_policies(invocation)
self.assertEqual(response.value, "NotApplicable")
# check that policy evaluates to Permit because actor has SUPERUSER role
invocation.message_annotations = {}
invocation.headers = {
"op": "op",
"process": "process",
"request": "request",
"ion-actor-id": "ion-actor-id",
"receiver": "resource-registry",
"sender-type": "sender-type",
"sender-service": "sender-service",
"ion-actor-roles": {"sys_org_name": ["SUPERUSER"]},
}
response = pdpm.check_service_request_policies(invocation)
self.assertEqual(response.value, "Permit")
def test_service_policies(self):
gc = Mock()
service_key = 'service_key'
pdpm = PolicyDecisionPointManager(gc)
# see that the PDP for service is the default
self.assertEqual(pdpm.get_service_pdp(service_key),
pdpm.load_common_service_pdp)
pdpm.set_service_policy_rules(service_key, self.permit_SUPERUSER_rule)
# see that the PDP for service is not the default anymore
self.assertNotEqual(pdpm.get_service_pdp(service_key),
pdpm.load_common_service_pdp)
# check request without a service_key raises NotFound error
invocation = Mock()
invocation.message_annotations = {}
invocation.get_message_receiver.return_value = None
with self.assertRaises(NotFound) as chk_res:
pdpm.check_service_request_policies(invocation)
self.assertIn(chk_res.exception.message,
'No receiver for this message')
# check that, because actor does not have SUPERUSER role, policy evaluates to a denial
# (really Not Applicable, because of the inelegant hack of a policy we are setting up our pdp with)
mock_header = Mock()
invocation.message_annotations = {}
invocation.message = {'argument1': 0}
invocation.headers = {
'op': 'op',
'process': 'process',
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'Unknown',
'ion-actor-roles': {
'org_name': ['ion-actor-roles']
}
}
invocation.get_message_receiver.return_value = 'service_key'
invocation.get_service_name.return_value = 'Unknown'
invocation.get_message_sender.return_value = ['Unknown', 'Unknown']
def get_header_value(key, default):
return invocation.headers.get(key, default)
mock_header.side_effect = get_header_value
invocation.get_header_value = mock_header
mock_args = Mock()
process = Mock()
process.org_governance_name = 'org_name'
invocation.args = {'process': process}
def get_arg_value(key, default):
return invocation.args.get(key, default)
mock_args.side_effect = get_arg_value
invocation.get_arg_value = mock_args
gc.system_root_org_name = 'sys_org_name'
response = pdpm.check_service_request_policies(invocation)
self.assertEqual(response.value, "NotApplicable")
# check that policy evaluates to Permit because actor has SUPERUSER role
invocation.message_annotations = {}
invocation.headers = {
'op': 'op',
'process': 'process',
'request': 'request',
'ion-actor-id': 'ion-actor-id',
'receiver': 'resource-registry',
'sender-type': 'sender-type',
'sender-service': 'sender-service',
'ion-actor-roles': {
'sys_org_name': ['SUPERUSER']
}
}
response = pdpm.check_service_request_policies(invocation)
self.assertEqual(response.value, "Permit")
