def test_prevent_untrusted_writes_through_implicit_flows(self): x = ProtectedRef(0, None, self.allowUserWrite(self.aliceUser)) x.update(self.aliceUser, self.aliceUser, 42) y = ProtectedRef(1, None, self.allowUserWrite(self.bobUser)) y.update(self.bobUser, self.bobUser, 2 if x.v == 42 else 3) self.assertEqual(JeevesLib.concretize(self.aliceUser, y.v), 3) self.assertEqual(JeevesLib.concretize(self.bobUser, y.v), 3)
def test_permitted_writer_overwrite(self): x = ProtectedRef(0, None, self.allowUserWrite(self.bobUser)) assert x.update(self.aliceUser, self.aliceUser, 42) == UpdateResult.Unknown assert x.update(self.bobUser, self.bobUser, 43) == UpdateResult.Unknown self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v), 43) self.assertEqual(JeevesLib.concretize(self.bobUser, x.v), 43) self.assertEqual(JeevesLib.concretize(self.carolUser, x.v), 43)
def testCountUsersInLocation(self): # Only Alice and Bob can see Alice's "high" location of S locNetwork = LocationNetwork([self.alice, self.bob, self.carol]) usersInStata = locNetwork.countUsersInLocation(self.gpsMIT) self.assertEqual(JeevesLib.concretize(self.alice, usersInStata), 1) self.assertEqual(JeevesLib.concretize(self.bob, usersInStata), 1) self.assertEqual(JeevesLib.concretize(self.carol, usersInStata), 0)
def testLogin(self): self.assertEqual( JeevesLib.concretize(self.aliceUser , Authentication.login(self.aliceUser, self.alicePwd)) , self.aliceUser) self.assertEqual( JeevesLib.concretize(self.aliceUser , Authentication.login(self.aliceUser, "otherPwd")) , Principal.NullUser())
def test_restrict_all_restrictive(self): JeevesLib.clear_cache() x = JeevesLib.mkLabel('x') JeevesLib.restrict(x, lambda _: False) self.assertFalse(JeevesLib.concretize(None, x)) self.assertFalse(JeevesLib.concretize(None, x))
def test_determine_writer_trust_later(self): x = ProtectedRef(0, None , lambda _this: lambda ictxt: lambda octxt: JeevesLib.jhas(octxt, ictxt)) x.update(self.aliceUser, self.aliceUser, 42) self.assertEqual(JeevesLib.concretize([self.aliceUser], x.v), 42) self.assertEqual(JeevesLib.concretize([], x.v), 0)
def test_determine_writer_trust_later(self): x = ProtectedRef( 0, None, lambda _this: lambda ictxt: lambda octxt: JeevesLib.jhas( octxt, ictxt)) x.update(self.aliceUser, self.aliceUser, 42) self.assertEqual(JeevesLib.concretize([self.aliceUser], x.v), 42) self.assertEqual(JeevesLib.concretize([], x.v), 0)
def test_not_tracking_implicit_flows(self): x = ProtectedRef(0, None, self.allowUserWrite(self.aliceUser), False) x.update(self.aliceUser, self.aliceUser, 42) y = ProtectedRef(1, None, self.allowUserWrite(self.bobUser), False) y.update(self.bobUser, self.bobUser, 2 if x.v == 42 else 3) self.assertEqual(JeevesLib.concretize(self.aliceUser, y.v), 2) self.assertEqual(JeevesLib.concretize(self.bobUser, y.v), 2)
def test_write_allowed_for_all_viewers(self): x = ProtectedRef(0, None, self.allowUserWrite(self.aliceUser)) assert x.update(self.aliceUser, self.aliceUser, 42) == UpdateResult.Unknown self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v), 42) self.assertEqual(JeevesLib.concretize(self.bobUser, x.v), 42) self.assertEqual(JeevesLib.concretize(self.carolUser, x.v), 42)
def test_view_email(self): self.assertEqual( JeevesLib.concretize(self.aliceUser, self.aliceUser.email) , "*****@*****.**") self.assertEqual( JeevesLib.concretize(self.aliceUser, self.eveUser.email) , "[redacted]")
def test_output_write_policies_involving_this_can_update(self): x = ProtectedRef(0, None , lambda v: lambda ictxt: lambda _: v == 0 and ictxt == self.aliceUser) x.update(self.aliceUser, self.aliceUser, 1) self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v), 1) x.update(self.aliceUser, self.aliceUser, 3) self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v), 1)
def test_output_varies_depending_on_viewer(self): x = ProtectedRef(0, None , lambda _this: lambda ictxt: lambda octxt: ictxt == self.aliceUser and octxt == self.bobUser) x.update(self.aliceUser, self.aliceUser, 42) self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v), 0) self.assertEqual(JeevesLib.concretize(self.bobUser, x.v), 42) self.assertEqual(JeevesLib.concretize(self.carolUser, x.v), 0)
def test_write_selectively_allowed(self): x = ProtectedRef(0, None , lambda _this: lambda ictxt: lambda octxt: ictxt == self.aliceUser and octxt == self.bobUser) assert x.update(self.aliceUser, self.aliceUser, 42) == UpdateResult.Unknown self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v), 0) self.assertEqual(JeevesLib.concretize(self.bobUser, x.v), 42) self.assertEqual(JeevesLib.concretize(self.carolUser, x.v), 0)
def test_view_email(self): self.assertEqual(JeevesLib.concretize(self.benUser, self.benUser.email) , "*****@*****.**") self.assertEqual(JeevesLib.concretize(self.janeUser, self.benUser.email) , "[redacted]") self.assertEqual( JeevesLib.concretize(self.rishabhUser, self.benUser.email) , "[redacted]")
def test_output_varies_depending_on_viewer(self): x = ProtectedRef( 0, None, lambda _this: lambda ictxt: lambda octxt: ictxt == self. aliceUser and octxt == self.bobUser) x.update(self.aliceUser, self.aliceUser, 42) self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v), 0) self.assertEqual(JeevesLib.concretize(self.bobUser, x.v), 42) self.assertEqual(JeevesLib.concretize(self.carolUser, x.v), 0)
def test_function_facets_cannot_write(self): def id(x): return x def inc(x): return x+1 x = ProtectedRef(id, None, self.allowUserWrite(self.bobUser)) self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v)(1), 1) x.update(self.aliceUser, self.aliceUser, inc) self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v)(1), 1)
def test_prevent_flow_of_untrusted_writes(self): x = ProtectedRef(0, None, self.allowUserWrite(self.aliceUser)) assert x.update(self.aliceUser, self.aliceUser, 42) == UpdateResult.Unknown y = ProtectedRef(1, None, self.allowUserWrite(self.bobUser)) assert y.update(self.bobUser, self.bobUser, x.v) == UpdateResult.Unknown self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v), 42) self.assertEqual(JeevesLib.concretize(self.bobUser, x.v), 42) self.assertEqual(JeevesLib.concretize(self.aliceUser, y.v), 0) self.assertEqual(JeevesLib.concretize(self.bobUser, y.v), 0)
def testConditional(self): a = JeevesLib.mkLabel() alice = User(0) bob = User(1) JeevesLib.restrict(a, lambda oc: oc == alice) xS = JeevesLib.mkSensitive(a, 42, 0) r = JeevesLib.jif(xS == 42, lambda: 1, lambda: 2) self.assertEqual(1, JeevesLib.concretize(alice, r)) self.assertEqual(2, JeevesLib.concretize(bob, r))
def testBasic(self): alice = User(0) bob = User(1) a = JeevesLib.mkLabel() JeevesLib.restrict(a, lambda oc: oc == alice) xS = JeevesLib.mkSensitive(a, 42, 0) self.assertEqual(42, JeevesLib.concretize(alice, xS)) self.assertEqual(0, JeevesLib.concretize(bob, xS))
def testIsFriends(self): self.assertTrue( JeevesLib.concretize(self.alice, self.alice.isFriends(self.bob))) self.assertTrue( JeevesLib.concretize(self.alice, self.bob.isFriends(self.alice))) self.assertFalse( JeevesLib.concretize(self.alice, self.alice.isFriends(self.carol))) self.assertFalse( JeevesLib.concretize(self.alice, self.carol.isFriends(self.alice)))
def testOwnerCanSee(self): policy = lambda oc: False aliceBid = Bid(3, self.aliceUser, policy) ctxt0 = AuctionContext(self.aliceUser, 0, []) self.assertEqual(3, JeevesLib.concretize(ctxt0, aliceBid.value)) ctxt1 = AuctionContext(self.bobUser, 0, []) self.assertEqual(-1, JeevesLib.concretize(ctxt1, aliceBid.value))
def testViewLocation(self): # Alice and Bob can see the high-confidentiality version of Alice's # location, but Carol cannot. self.assertEqual(JeevesLib.concretize(self.alice, self.alice.location) , self.gpsMIT) self.assertEqual(JeevesLib.concretize(self.bob, self.alice.location) , self.gpsMIT) self.assertEqual(JeevesLib.concretize(self.carol, self.alice.location) , self.cityCambridge)
def test_view_grade(self): course_info = StudentCourse.objects.get(student=self.benUser) self.assertEqual(JeevesLib.concretize(self.benUser, course_info.grade) , 'B') self.assertEqual(JeevesLib.concretize(self.janeUser, course_info.grade) , 'U') self.assertEqual( JeevesLib.concretize(self.rishabhUser, course_info.grade) , 'B')
def testBehavioralGood(self): touchedBadData = False def f(x): return x+1 x = ProtectedRef(lambda x: x, None , lambda _this: lambda ic: lambda touchedBad: not touchedBad) self.assertEqual(JeevesLib.concretize(None, (x.v)(1)), 1) assert x.update(None, None, f) == UpdateResult.Unknown self.assertEqual(JeevesLib.concretize(None, (x.v)(1)), 2)
def test_restrict_with_context(self): x = JeevesLib.mkLabel('x') JeevesLib.restrict(x, lambda y: y == 2) xConcrete = JeevesLib.concretize(2, x) self.assertTrue(xConcrete) xConcrete = JeevesLib.concretize(3, x) self.assertFalse(xConcrete)
def test_view_submission_grade(self): self.assertEqual(JeevesLib.concretize(self.benUser, self.ben813_1.grade) , 'A') self.assertEqual( JeevesLib.concretize(self.janeUser, self.ben813_1.grade) , 'U') self.assertEqual( JeevesLib.concretize(self.rishabhUser, self.ben813_1.grade) , 'A')
def testViewLocation(self): # Alice and Bob can see the high-confidentiality version of Alice's # location, but Carol cannot. self.assertEqual(JeevesLib.concretize(self.alice, self.alice.location), self.gpsMIT) self.assertEqual(JeevesLib.concretize(self.bob, self.alice.location), self.gpsMIT) self.assertEqual(JeevesLib.concretize(self.carol, self.alice.location), self.cityCambridge)
def test_restrict_all_permissive(self): JeevesLib.clear_cache() x = JeevesLib.mkLabel('x') JeevesLib.restrict(x, lambda _: True) self.assertTrue(JeevesLib.concretize(None, x)) # Now we test the cache. self.assertTrue(JeevesLib.concretize(None, x)) self.assertEqual(len(JeevesLib.get_cache()), 1)
def test_restrict_with_sensitive_value(self): x = JeevesLib.mkLabel('x') JeevesLib.restrict(x, lambda y: y == 2) value = JeevesLib.mkSensitive(x, 42, 41) valueConcrete = JeevesLib.concretize(2, value) self.assertEquals(valueConcrete, 42) valueConcrete = JeevesLib.concretize(1, value) self.assertEquals(valueConcrete, 41)
def test_prevent_flow_of_operations_on_untrusted_writes(self): x = ProtectedRef(0, None, self.allowUserWrite(self.aliceUser)) x.update(self.aliceUser, self.aliceUser, 42) y = ProtectedRef(1, None, self.allowUserWrite(self.bobUser)) y.update(self.bobUser, self.bobUser, 43) z = ProtectedRef(0, None, self.allowUserWrite(self.carolUser)) z.update(self.carolUser, self.carolUser, x.v + y.v) self.assertEqual(JeevesLib.concretize(self.aliceUser, z.v), 1) self.assertEqual(JeevesLib.concretize(self.bobUser, z.v), 1) self.assertEqual(JeevesLib.concretize(self.carolUser, z.v), 1)
def test_output_write_policies_involving_this_can_update(self): x = ProtectedRef(0, None , lambda v: lambda ictxt: lambda _: v == 0 and ictxt == self.aliceUser) x.update(self.aliceUser, self.aliceUser, 1) print x.v.prettyPrint() self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v), 1) x.update(self.aliceUser, self.aliceUser, 3) print x.v.prettyPrint() self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v), 1)
def test_output_write_policy_with_this_cannot_update(self): x = ProtectedRef(0, None , lambda v: lambda ictxt: lambda _octxt: (not (v == 3)) and ictxt == self.aliceUser) x.update(self.aliceUser, self.aliceUser, 1) self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v), 1) x.update(self.aliceUser, self.aliceUser, 3) self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v), 3) x.update(self.aliceUser, self.aliceUser, 5) self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v), 3)
def test_see_Address(self): self.assertEqual( JeevesLib.concretize(self.jeanyangProfile, self.jean.Address) , self.house1) self.assertEqual( JeevesLib.concretize(self.arielProfile, self.jean.Address.Street) , None) self.assertEqual( JeevesLib.concretize(self.arielProfile, self.jean.Address.ZipCode) , "14800")
def test_combining_write_policies_in_operation(self): x = ProtectedRef(0, None, self.allowUserWrite(self.bobUser)) x.update(self.bobUser, self.bobUser, 42) y = ProtectedRef(2, None , lambda _this: lambda ictxt: lambda octxt: ictxt == self.aliceUser and octxt == self.bobUser) y.update(self.aliceUser, self.aliceUser, 43) self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v + y.v), 44) self.assertEqual(JeevesLib.concretize(self.bobUser, x.v + y.v), 85) self.assertEqual(JeevesLib.concretize(self.carolUser, x.v + y.v), 44)
def test_restrict_with_sensitivevalue(self): x = JeevesLib.mkLabel('x') JeevesLib.restrict(x, lambda y: y == 2) value = JeevesLib.mkSensitive(x, 42, 41) valueConcrete = JeevesLib.concretize(2, value) self.assertEquals(valueConcrete, 42) valueConcrete = JeevesLib.concretize(1, value) self.assertEquals(valueConcrete, 41)
def test_combining_write_policies_in_operation(self): x = ProtectedRef(0, None, self.allowUserWrite(self.bobUser)) x.update(self.bobUser, self.bobUser, 42) y = ProtectedRef( 2, None, lambda _this: lambda ictxt: lambda octxt: ictxt == self. aliceUser and octxt == self.bobUser) y.update(self.aliceUser, self.aliceUser, 43) self.assertEqual(JeevesLib.concretize(self.aliceUser, x.v + y.v), 44) self.assertEqual(JeevesLib.concretize(self.bobUser, x.v + y.v), 85) self.assertEqual(JeevesLib.concretize(self.carolUser, x.v + y.v), 44)
def test_jmap_for(self): x = JeevesLib.mkLabel("x") JeevesLib.restrict(x, lambda ctxt: ctxt) l = JeevesLib.mkSensitive(x, [0, 1, 2], [3, 4, 5, 6]) m = 0 for t in l: m = m + t * t self.assertEqual(JeevesLib.concretize(True, m), 5) self.assertEqual(JeevesLib.concretize(False, m), 86)
def test_jmap_for(self): x = JeevesLib.mkLabel('x') JeevesLib.restrict(x, lambda ctxt : ctxt) l = JeevesLib.mkSensitive(x, [0,1,2], [3,4,5,6]) m = 0 for t in l: m = m + t*t self.assertEqual(JeevesLib.concretize(True, m), 5) self.assertEqual(JeevesLib.concretize(False, m), 86)
def test_restrict_with_context(self): JeevesLib.clear_cache() x = JeevesLib.mkLabel('x') JeevesLib.restrict(x, lambda y: y == 2) self.assertTrue(JeevesLib.concretize(2, x)) self.assertTrue(JeevesLib.concretize(2, x)) self.assertFalse(JeevesLib.concretize(3, x)) self.assertFalse(JeevesLib.concretize(3, x))
def testTimeSensitiveRelease(self): auctionEndTime = 10 policy = lambda oc: oc.time > auctionEndTime aliceBid = Bid(3, self.aliceUser, policy) self.assertEqual(3 , JeevesLib.concretize( AuctionContext(self.bobUser, 11, []), aliceBid.value)) self.assertEqual(-1 , JeevesLib.concretize( AuctionContext(self.bobUser, 10, []), aliceBid.value))
def test_prevent_implicit_flows_of_confidential_values(self): x = ProtectedRef(0, None , lambda _this: lambda ictxt: lambda octxt: ictxt == self.aliceUser and octxt == self.aliceUser) x.update(self.aliceUser, self.aliceUser, 42) y = ProtectedRef(1, None , lambda _this: lambda ictxt: lambda octxt: ictxt == self.bobUser or ictxt == self.aliceUser) y.update(self.bobUser, self.bobUser, 2 if x.v == 42 else 3) self.assertEqual(JeevesLib.concretize(self.aliceUser, y.v), 2) self.assertEqual(JeevesLib.concretize(self.bobUser, y.v), 3)
def testLogin(self): self.assertEqual( JeevesLib.concretize( self.aliceUser, Authentication.login(self.aliceUser, self.alicePwd)), self.aliceUser) self.assertEqual( JeevesLib.concretize( self.aliceUser, Authentication.login(self.aliceUser, "otherPwd")), Principal.NullUser())