def test_get(st):
st.add(Policy.from_json({"uid": "1", "rules": {}, "targets": {}, "effect": "deny"}))
st.add(Policy.from_json({"uid": "2", "description": "some text", "rules": {}, "targets": {}, "effect": "deny"}))
assert isinstance(st.get('1'), Policy)
assert '1' == st.get('1').uid
assert '2' == st.get('2').uid
assert 'some text' == st.get('2').description
def test_update(st):
policy = Policy.from_json({"uid": "1", "rules": {}, "targets": {}, "effect": "deny"})
# Test update before insert
st.update(policy)
assert st.get(policy.uid) is None
st.add(policy)
assert '1' == st.get('1').uid
assert '' == st.get('1').description
policy.description = 'foo'
st.update(policy)
assert '1' == st.get('1').uid
assert 'foo' == st.get('1').description
p = Policy.from_json({"uid": "2",
"description": "foo",
"rules": {},
"targets": {},
"effect": "deny"})
st.add(p)
assert '2' == st.get('2').uid
p = Policy.from_json({"uid": "2",
"description": "foo",
"rules": {"action": {"$.method": {"condition": "Equals", "value": "get"}}},
"targets": {},
"effect": "deny"})
st.update(p)
assert 1 == len(st.get('2').rules.action)
assert 'get' == st.get('2').rules.action['$.method'].value
def test_update(self):
policy = Policy.from_json(self.POLICY_JSON)
p_model = PolicyModel.from_policy(policy)
new_policy_json = self.POLICY_JSON.copy()
new_policy_json["priority"] = 1
new_policy = Policy.from_json(new_policy_json)
p_model.update(new_policy)
policy_model_assert(p_model, new_policy)
def test_add(st):
policy_json = {
"uid": "1",
"description": "Policy create test 1",
"rules": {
"subject": {"$.uid": {"condition": "Eq", "value": 1.0}},
"resource": [{"$.name": {"condition": "Equals", "value": "test", "case_insensitive": False}}],
"action": {},
"context": {}
},
"targets": {
"subject_id": ["abc", "a*"],
"resource_id": ["123"],
'action_id': '*'
},
"effect": "deny",
"priority": 0
}
policy = Policy.from_json(policy_json)
st.add(policy)
assert "1" == st.get('1').uid
assert "Policy create test 1" == st.get('1').description
policy_json = {
"uid": "2",
"description": "Policy create test 2",
"rules": {
"subject": {"$.uid": {"condition": "Eq", "value": 1.0}},
"resource": [{"$.name": {"condition": "Equals", "value": "test", "case_insensitive": False}}],
"action": [{"$.method": {"condition": "Equals", "value": "GET"}},
{"$.method": {"condition": "Equals", "value": "POST"}}],
"context": {}
},
"targets": {
"subject_id": ["abc", "a*"],
"resource_id": ["123"],
'action_id': '*'
},
"effect": "deny",
"priority": 0
}
policy = Policy.from_json(policy_json)
st.add(policy)
assert '2' == st.get('2').uid
assert 2 == len(st.get('2').rules.action)
assert 1 == len(st.get('2').rules.subject)
assert isinstance(st.get('2').rules.subject["$.uid"], Eq)
assert 1 == len(st.get('2').rules.resource)
assert isinstance(st.get('2').rules.resource[0]['$.name'], Equals)
assert 'test' == st.get('2').rules.resource[0]['$.name'].value
assert ["abc", "a*"] == st.get('2').targets.subject_id
def test_to_policy():
policy_json = {
"uid": "a381fdd3-b73a-4858-a57b-94085628b0f1",
"description": "Block user 'Max' when ip in CIDR 192.168.1.0/24",
"rules": {
"subject": {
"$.name": {
"condition": "Equals",
"value": "Max"
}
},
"context": {
"$.ip": {
"condition": "Not",
"value": {
"condition": "CIDR",
"value": "192.168.1.0/24"
}
}
}
},
"targets": {
"subject_id": "user::b90b2998-9e1b-4ac5-a743-b060b2634dbb"
},
"effect": "deny"
}
policy = Policy.from_json(policy_json)
model = PolicyModel.from_policy(policy)
new_policy = model.to_policy()
assert policy.uid == new_policy.uid
assert policy.description == new_policy.description
assert policy.priority == new_policy.priority
def test_allow_access(self):
policy_json = {
"uid": "a",
"description": "Policy create test",
"rules": {
"subject": {
"$.uid": {
"condition": "Eq",
"value": 1.0
}
},
"resource": [{
"$.name": {
"condition": "Equals",
"value": "test",
"case_insensitive": False
}
}],
"action": {},
"context": {}
},
"targets": {
"subject_id": ["abc", "a*"],
"resource_id": ["123"],
'action_id': '*'
},
"effect": "deny",
"priority": 0
}
policy = Policy.from_json(policy_json)
assert not policy.is_allowed
policy.effect = "allow"
assert policy.is_allowed
def test_policy_create_existing(st):
st.add(
Policy.from_json({
"uid": "1",
"rules": {},
"targets": {},
"effect": "deny"
}))
with pytest.raises(PolicyExistsError):
st.add(
Policy.from_json({
"uid": "1",
"rules": {},
"targets": {},
"effect": "deny"
}))
def test_to_doc():
policy_json = {
"uid": "a381fdd3-b73a-4858-a57b-94085628b0f1",
"description": "Block user 'Max' when ip in CIDR 192.168.1.0/24",
"rules": {
"subject": {
"$.name": {
"condition": "Equals",
"value": "Max"
}
},
"context": {
"$.ip": {
"condition": "Not",
"value": {
"condition": "CIDR",
"value": "192.168.1.0/24"
}
}
}
},
"targets": {
"subject_id": "user::b90b2998-9e1b-4ac5-a743-b060b2634dbb"
},
"effect": "deny"
}
policy = Policy.from_json(policy_json)
policy_doc = {
"_id": policy.uid,
"policy_str": json.dumps(policy.to_json()),
"tags": {}
}
model = PolicyModel.from_doc(policy_doc)
new_policy_doc = model.to_doc()
assert policy_doc == new_policy_doc
def st():
client = create_client()
storage = MongoStorage(client, DB_NAME, collection=COLLECTION)
for policy_json in POLICIES:
storage.add(Policy.from_json(policy_json))
yield storage
client[DB_NAME][COLLECTION].drop()
client.close()
def test_delete(st):
policy = Policy.from_json({"uid": "1", "rules": {}, "targets": {}, "effect": "deny"})
# Test non-existing
st.delete('1')
assert None is st.get('1')
st.add(policy)
assert '1' == st.get('1').uid
st.delete('1')
assert None is st.get('1')
def test_update_error(st):
# Policy with UID 1 not present.
with pytest.raises(ValueError):
policy = Policy.from_json({
"uid": "1",
"rules": {},
"targets": {},
"effect": "deny"
})
st.update(policy)
def test_get_all(st, limit, offset, result):
for i in range(200):
st.add(
Policy.from_json({
"uid": str(i),
"rules": {},
"targets": {},
"effect": "deny"
}))
policies = list(st.get_all(limit, offset))
assert result == len(policies)
def test_find_for_target(st, request_json, num):
st.add(
Policy.from_json({
"uid": "1",
"rules": {},
"targets": {},
"effect": "deny"
}))
st.add(
Policy.from_json({
"uid": "2",
"rules": {},
"targets": {
"subject_id": "ab*"
},
"effect": "deny"
}))
st.add(
Policy.from_json({
"uid": "3",
"rules": {},
"targets": {
"subject_id": "a*b"
},
"effect": "deny"
}))
st.add(
Policy.from_json({
"uid": "4",
"rules": {},
"targets": {
"subject_id": "ab*c"
},
"effect": "deny"
}))
request = AccessRequest.from_json(request_json)
found = st.get_for_target(request._subject_id, request._resource_id,
request._action_id)
found = list(found)
assert num == len(found)
def test_get_all_check_policy_properties(st):
st.add(
Policy.from_json({
"uid": "1",
"description": "foo",
"rules": {},
"targets": {},
"effect": "deny"
}))
policies = list(st.get_all(100, 0))
assert 1 == len(policies)
assert '1' == policies[0].uid
assert 'foo' == policies[0].description
def test_create(self):
uid = uuid.uuid4()
policy_json = {
"uid": str(uid),
"description": "Policy create test",
"rules": {
"subject": {
"$.uid": {
"condition": "Eq",
"value": 1.0
}
},
"resource": [{
"$.name": {
"condition": "Equals",
"value": "test",
"case_insensitive": False
}
}],
"action": {},
"context": {}
},
"targets": {
"subject_id": ["abc", "a*"],
"resource_id": ["123"],
'action_id': '*'
},
"effect": "deny",
"priority": 0
}
policy = Policy.from_json(policy_json)
assert policy.to_json() == policy_json
rules = policy.rules
assert isinstance(rules, Rules)
assert isinstance(rules.subject["$.uid"], Eq)
assert rules.subject["$.uid"].value == 1.0
assert isinstance(rules.resource[0]["$.name"], Equals)
assert rules.resource[0]["$.name"].value == "test"
assert rules.action == {}
assert rules.context == {}
targets = policy.targets
targets_json = policy_json["targets"]
assert isinstance(targets, Targets)
assert targets.subject_id == targets_json["subject_id"]
assert targets.resource_id == targets_json["resource_id"]
assert targets.action_id == "*"
def policy_model_assert(policy_model: PolicyModel, policy: Policy):
"""
Assert if the given policy model object `policy_model` is equal to the policy object `policy`
"""
def assert_targets(target_models: List[TargetModel], target_ids):
_target_ids = target_ids if isinstance(target_ids,
list) else [target_ids]
assert len(target_models) == len(_target_ids)
for x in range(len(_target_ids)):
assert target_models[x].target_id.replace('%',
'*') == _target_ids[x]
assert policy_model.uid == policy.uid
assert policy_model.json == policy.to_json()
assert_targets(policy_model.actions, policy.targets.action_id)
assert_targets(policy_model.subjects, policy.targets.subject_id)
assert_targets(policy_model.resources, policy.targets.resource_id)
def test_from_policy():
policy_json = {
"uid": "a381fdd3-b73a-4858-a57b-94085628b0f1",
"description": "Block user 'Max' when ip in CIDR 192.168.1.0/24",
"rules": {
"subject": {
"$.name": {
"condition": "Equals",
"value": "Max"
}
},
"context": {
"$.ip": {
"condition": "Not",
"value": {
"condition": "CIDR",
"value": "192.168.1.0/24"
}
}
}
},
"targets": {
"subject_id": "user::b90b2998-9e1b-4ac5-a743-b060b2634dbb"
},
"effect": "deny"
}
policy = Policy.from_json(policy_json)
model = PolicyModel.from_policy(policy)
assert isinstance(model, PolicyModel)
assert isinstance(model.policy_str, str)
assert isinstance(model._id, str)
assert isinstance(model.tags, dict)
assert model.policy_str == json.dumps(policy.to_json())
assert model._id == policy.uid
assert model.tags == {
"subject": [{
"id": ["user::b90b2998-9e1b-4ac5-a743-b060b2634dbb"]
}],
"resource": [{
"id": ["*"]
}],
"action": [{
"id": ["*"]
}]
}
def test_from_policy(self):
policy = Policy.from_json(self.POLICY_JSON)
p_model = PolicyModel.from_policy(policy)
policy_model_assert(p_model, policy)
def test_to_policy(self):
policy = Policy.from_json(self.POLICY_JSON)
p_model = PolicyModel.from_policy(policy)
_policy = p_model.to_policy()
assert policy.to_json() == _policy.to_json()
def test_get_filter(self):
policy = Policy.from_json(self.POLICY_JSON)
p_model = PolicyModel.from_policy(policy)
_filter = p_model.get_filter("1", "1", "1")
assert len(_filter) == 3
def test_create_policy_error(self, policy_json):
with pytest.raises(PolicyCreateError):
Policy.from_json(policy_json)
def test_fits(self, desc, policy_json, request_json, result):
ctx = EvaluationContext(Request.from_json(request_json))
policy = Policy.from_json(policy_json)
assert policy.fits(ctx) == result
def test__targets_to_tags(policy_json, tags):
policy = Policy.from_json(policy_json)
assert PolicyModel._targets_to_tags(policy.targets) == tags
