def test_defaults(self): tm = TM("my test tm", description="aa", isOrdered=True) internet = Boundary("Internet") cloud = Boundary("Cloud") user = Actor("User", inBoundary=internet) server = Server("Server") db = Datastore("DB", inBoundary=cloud) db.type = DatastoreType.SQL func = Datastore("Lambda function", inBoundary=cloud) request = Dataflow(user, server, "request") response = Dataflow(server, user, "response", isResponse=True) user_query = Dataflow(user, db, "user query") server_query = Dataflow(server, db, "server query") func_query = Dataflow(func, db, "func query") default_target = ["Actor", "Boundary", "Dataflow", "Datastore", "Server"] testCases = [ {"target": server, "condition": "target.oneOf(Server, Datastore)"}, {"target": server, "condition": "not target.oneOf(Actor, Dataflow)"}, {"target": request, "condition": "target.crosses(Boundary)"}, {"target": user_query, "condition": "target.crosses(Boundary)"}, {"target": server_query, "condition": "target.crosses(Boundary)"}, {"target": func_query, "condition": "not target.crosses(Boundary)"}, {"target": func_query, "condition": "not target.enters(Boundary)"}, {"target": func_query, "condition": "not target.exits(Boundary)"}, {"target": request, "condition": "not target.enters(Boundary)"}, {"target": request, "condition": "target.exits(Boundary)"}, {"target": response, "condition": "target.enters(Boundary)"}, {"target": response, "condition": "not target.exits(Boundary)"}, {"target": user, "condition": "target.inside(Boundary)"}, {"target": func, "condition": "not any(target.inputs)"}, { "target": server, "condition": "any(f.sink.oneOf(Datastore) and f.sink.type == DatastoreType.SQL " "for f in target.outputs)", }, ] self.assertTrue(tm.check()) for case in testCases: t = Threat(SID="", target=default_target, condition=case["condition"]) self.assertTrue( t.apply(case["target"]), "Failed to match {} against {}".format( case["target"], case["condition"], ), )
def test_defaults(self): tm = TM("TM") user_data = Data("HTTP") user = Actor("User", data=user_data) user.controls.authenticatesDestination=True json_data = Data("JSON") server = Server( "Server", port=443, protocol="HTTPS", isEncrypted=True, data=json_data ) sql_resp = Data("SQL resp") db = Datastore( "PostgreSQL", port=5432, protocol="PostgreSQL", data=sql_resp, ) db.controls.isEncrypted=False db.type = DatastoreType.SQL worker = Process("Task queue worker") req_get_data = Data("HTTP GET") req_get = Dataflow(user, server, "HTTP GET", data=req_get_data) server_query_data = Data("SQL") server_query = Dataflow(server, db, "Query", data=server_query_data) result_data = Data("Results") result = Dataflow(db, server, "Results", data=result_data, isResponse=True) resp_get_data = Data("HTTP Response") resp_get = Dataflow(server, user, "HTTP Response", data=resp_get_data, isResponse=True) req_post_data = Data("JSON") req_post = Dataflow(user, server, "HTTP POST", data=req_post_data) resp_post = Dataflow(server, user, "HTTP Response", isResponse=True) sql_data = Data("SQL") worker_query = Dataflow(worker, db, "Query", data=sql_data) Dataflow(db, worker, "Results", isResponse=True) cookie = Data("Auth Cookie", carriedBy=[req_get, req_post]) self.assertTrue(tm.check()) self.assertEqual(req_get.srcPort, -1) self.assertEqual(req_get.dstPort, server.port) self.assertEqual(req_get.controls.isEncrypted, server.controls.isEncrypted) self.assertEqual( req_get.controls.authenticatesDestination, user.controls.authenticatesDestination ) self.assertEqual(req_get.protocol, server.protocol) self.assertTrue(user.data.issubset(req_get.data)) self.assertEqual(server_query.srcPort, -1) self.assertEqual(server_query.dstPort, db.port) self.assertEqual(server_query.controls.isEncrypted, db.controls.isEncrypted) self.assertEqual( server_query.controls.authenticatesDestination, server.controls.authenticatesDestination ) self.assertEqual(server_query.protocol, db.protocol) self.assertTrue(server.data.issubset(server_query.data)) self.assertEqual(result.srcPort, db.port) self.assertEqual(result.dstPort, -1) self.assertEqual(result.controls.isEncrypted, db.controls.isEncrypted) self.assertEqual(result.controls.authenticatesDestination, False) self.assertEqual(result.protocol, db.protocol) self.assertTrue(db.data.issubset(result.data)) self.assertEqual(resp_get.srcPort, server.port) self.assertEqual(resp_get.dstPort, -1) self.assertEqual(resp_get.controls.isEncrypted, server.controls.isEncrypted) self.assertEqual(resp_get.controls.authenticatesDestination, False) self.assertEqual(resp_get.protocol, server.protocol) self.assertTrue(server.data.issubset(resp_get.data)) self.assertEqual(req_post.srcPort, -1) self.assertEqual(req_post.dstPort, server.port) self.assertEqual(req_post.controls.isEncrypted, server.controls.isEncrypted) self.assertEqual( req_post.controls.authenticatesDestination, user.controls.authenticatesDestination ) self.assertEqual(req_post.protocol, server.protocol) self.assertTrue(user.data.issubset(req_post.data)) self.assertEqual(resp_post.srcPort, server.port) self.assertEqual(resp_post.dstPort, -1) self.assertEqual(resp_post.controls.isEncrypted, server.controls.isEncrypted) self.assertEqual(resp_post.controls.authenticatesDestination, False) self.assertEqual(resp_post.protocol, server.protocol) self.assertTrue(server.data.issubset(resp_post.data)) self.assertListEqual(server.inputs, [req_get, req_post]) self.assertListEqual(server.outputs, [server_query]) self.assertListEqual(worker.inputs, []) self.assertListEqual(worker.outputs, [worker_query]) self.assertListEqual(cookie.carriedBy, [req_get, req_post]) self.assertSetEqual(set(cookie.processedBy), set([user, server])) self.assertIn(cookie, req_get.data) self.assertSetEqual( set([d.name for d in req_post.data]), set([cookie.name, "HTTP", "JSON"]) )