rgw: Adding unittests for User policies.

author Pritha Srivastava <prsrivas@redhat.com>

Thu, 24 May 2018 06:51:18 +0000 (12:21 +0530)

committer Pritha Srivastava <prsrivas@redhat.com>

Mon, 2 Jul 2018 10:12:07 +0000 (15:42 +0530)
author Pritha Srivastava <prsrivas@redhat.com>
Thu, 24 May 2018 06:51:18 +0000 (12:21 +0530)
committer Pritha Srivastava <prsrivas@redhat.com>
Mon, 2 Jul 2018 10:12:07 +0000 (15:42 +0530)
diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc

index ceb83104d62861167e0a34956713be93141aa79b..ada2c1f969f3ba258073135753ee6cdf72f42f51 100644 (file)
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -826,7 +826,7 @@ bool ParseState::do_string(CephContext* cct, const char* s, size_t l) {
      if (*s == '*') {
        is_validaction = true;
        (w->id == TokenID::Action ?
-        t->action = iamAllValue : t->notaction = iamAllValue);
+        t->action = allValue : t->notaction = allValue);
      } else {
        for (auto& p : actpairs) {
          if (match_policy({s, l}, p.name, MATCH_POLICY_ACTION)) {
@@ -839,6 +839,12 @@ bool ParseState::do_string(CephContext* cct, const char* s, size_t l) {
          if ((t->notaction & s3AllValue) == s3AllValue) {
            t->notaction[s3All] = 1;
          }
+        if ((t->action & iamAllValue) == iamAllValue) {
+          t->action[iamAll] = 1;
+        }
+        if ((t->notaction & iamAllValue) == iamAllValue) {
+          t->notaction[iamAll] = 1;
+        }
        }
      }
    } else if (w->id == TokenID::Resource || w->id == TokenID::NotResource) {
diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h

index 759b5f084021de0173ef06da5c536a1fcf0aa1a1..38e2726a23417420a0a6c1f779d8e32831cfda80 100644 (file)
--- a/src/rgw/rgw_iam_policy.h
+++ b/src/rgw/rgw_iam_policy.h
@@ -102,7 +102,6 @@ static constexpr std::uint64_t iamPutUserPolicy = 55;
  static constexpr std::uint64_t iamGetUserPolicy = 56;
  static constexpr std::uint64_t iamDeleteUserPolicy = 57;
  static constexpr std::uint64_t iamListUserPolicies = 58;
-
  static constexpr std::uint64_t iamCreateRole = 59;
  static constexpr std::uint64_t iamDeleteRole = 60;
  static constexpr std::uint64_t iamModifyRole = 61;
@@ -112,17 +111,19 @@ static constexpr std::uint64_t iamPutRolePolicy = 64;
  static constexpr std::uint64_t iamGetRolePolicy = 65;
  static constexpr std::uint64_t iamListRolePolicies = 66;
  static constexpr std::uint64_t iamDeleteRolePolicy = 67;
+static constexpr std::uint64_t iamAll = 68;
  
  static constexpr std::uint64_t s3Count = s3DeleteObjectVersionTagging + 1;
-static constexpr std::uint64_t allCount = iamDeleteRolePolicy + 1;
+static constexpr std::uint64_t allCount = iamAll + 1;
  
  using Action_t = bitset<allCount>;
  using NotAction_t = Action_t;
  
  static const Action_t None(0);
  static const Action_t s3AllValue("111111111111111111111111111111111111111111111111111111");
-//Modify iamAllValue if more IAM actions are added
-static const Action_t iamAllValue("11111111111111111111111111111111111111111111111111111111111111111111");
+static const Action_t iamAllValue("11111111111110000000000000000000000000000000000000000000000000000000");
+//Modify allValue if more Actions are added
+static const Action_t allValue("111111111111111111111111111111111111111111111111111111111111111111111");
  
  namespace {
  inline int op_to_perm(std::uint64_t op) {
diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc

index 9b553da4fbbf4c78e86d82b862789e52d01e5f7b..b5b1d5f84015527819fda4d86b122b028e39aff7 100644 (file)
--- a/src/test/rgw/test_rgw_iam_policy.cc
+++ b/src/test/rgw/test_rgw_iam_policy.cc
@@ -81,6 +81,9 @@ using rgw::IAM::TokenID;
  using rgw::IAM::Version;
  using rgw::IAM::Action_t;
  using rgw::IAM::NotAction_t;
+using rgw::IAM::iamCreateRole;
+using rgw::IAM::iamDeleteRole;
+using rgw::IAM::iamAll;
  
  class FakeIdentity : public Identity {
    const Principal id;
@@ -126,6 +129,9 @@ protected:
    static string example1;
    static string example2;
    static string example3;
+  static string example4;
+  static string example5;
+  static string example6;
  public:
    PolicyTest() {
      cct = new CephContext(CEPH_ENTITY_TYPE_CLIENT);
@@ -484,6 +490,152 @@ TEST_F(PolicyTest, Eval3) {
    }
  }
  
+TEST_F(PolicyTest, Parse4) {
+  boost::optional<Policy> p;
+
+  ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant,
+                            bufferlist::static_from_string(example4)));
+  ASSERT_TRUE(p);
+
+  EXPECT_EQ(p->text, example4);
+  EXPECT_EQ(p->version, Version::v2012_10_17);
+  EXPECT_FALSE(p->id);
+  EXPECT_FALSE(p->statements[0].sid);
+  EXPECT_FALSE(p->statements.empty());
+  EXPECT_EQ(p->statements.size(), 1U);
+  EXPECT_TRUE(p->statements[0].princ.empty());
+  EXPECT_TRUE(p->statements[0].noprinc.empty());
+  EXPECT_EQ(p->statements[0].effect, Effect::Allow);
+  Action_t act;
+  act[iamCreateRole] = 1;
+  EXPECT_EQ(p->statements[0].action, act);
+  EXPECT_EQ(p->statements[0].notaction, None);
+  ASSERT_FALSE(p->statements[0].resource.empty());
+  ASSERT_EQ(p->statements[0].resource.size(), 1U);
+  EXPECT_EQ(p->statements[0].resource.begin()->partition, Partition::wildcard);
+  EXPECT_EQ(p->statements[0].resource.begin()->service, Service::wildcard);
+  EXPECT_EQ(p->statements[0].resource.begin()->region, "*");
+  EXPECT_EQ(p->statements[0].resource.begin()->account, arbitrary_tenant);
+  EXPECT_EQ(p->statements[0].resource.begin()->resource, "*");
+  EXPECT_TRUE(p->statements[0].notresource.empty());
+  EXPECT_TRUE(p->statements[0].conditions.empty());
+}
+
+TEST_F(PolicyTest, Eval4) {
+  auto p  = Policy(cct.get(), arbitrary_tenant,
+                  bufferlist::static_from_string(example4));
+  Environment e;
+
+  EXPECT_EQ(p.eval(e, none, iamCreateRole,
+                  ARN(Partition::aws, Service::iam,
+                      "", arbitrary_tenant, "role/example_role")),
+           Effect::Allow);
+
+  EXPECT_EQ(p.eval(e, none, iamDeleteRole,
+                  ARN(Partition::aws, Service::iam,
+                      "", arbitrary_tenant, "role/example_role")),
+           Effect::Pass);
+}
+
+TEST_F(PolicyTest, Parse5) {
+  boost::optional<Policy> p;
+
+  ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant,
+                            bufferlist::static_from_string(example5)));
+  ASSERT_TRUE(p);
+  EXPECT_EQ(p->text, example5);
+  EXPECT_EQ(p->version, Version::v2012_10_17);
+  EXPECT_FALSE(p->id);
+  EXPECT_FALSE(p->statements[0].sid);
+  EXPECT_FALSE(p->statements.empty());
+  EXPECT_EQ(p->statements.size(), 1U);
+  EXPECT_TRUE(p->statements[0].princ.empty());
+  EXPECT_TRUE(p->statements[0].noprinc.empty());
+  EXPECT_EQ(p->statements[0].effect, Effect::Allow);
+  Action_t act;
+  for (auto i = s3All+1; i <= iamAll; i++)
+    act[i] = 1;
+  EXPECT_EQ(p->statements[0].action, act);
+  EXPECT_EQ(p->statements[0].notaction, None);
+  ASSERT_FALSE(p->statements[0].resource.empty());
+  ASSERT_EQ(p->statements[0].resource.size(), 1U);
+  EXPECT_EQ(p->statements[0].resource.begin()->partition, Partition::aws);
+  EXPECT_EQ(p->statements[0].resource.begin()->service, Service::iam);
+  EXPECT_EQ(p->statements[0].resource.begin()->region, "");
+  EXPECT_EQ(p->statements[0].resource.begin()->account, arbitrary_tenant);
+  EXPECT_EQ(p->statements[0].resource.begin()->resource, "role/example_role");
+  EXPECT_TRUE(p->statements[0].notresource.empty());
+  EXPECT_TRUE(p->statements[0].conditions.empty());
+}
+
+TEST_F(PolicyTest, Eval5) {
+  auto p  = Policy(cct.get(), arbitrary_tenant,
+                  bufferlist::static_from_string(example5));
+  Environment e;
+
+  EXPECT_EQ(p.eval(e, none, iamCreateRole,
+                  ARN(Partition::aws, Service::iam,
+                      "", arbitrary_tenant, "role/example_role")),
+           Effect::Allow);
+
+  EXPECT_EQ(p.eval(e, none, s3ListBucket,
+                  ARN(Partition::aws, Service::iam,
+                      "", arbitrary_tenant, "role/example_role")),
+           Effect::Pass);
+
+  EXPECT_EQ(p.eval(e, none, iamCreateRole,
+                  ARN(Partition::aws, Service::iam,
+                      "", "", "role/example_role")),
+           Effect::Pass);
+}
+
+TEST_F(PolicyTest, Parse6) {
+  boost::optional<Policy> p;
+
+  ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant,
+                            bufferlist::static_from_string(example6)));
+  ASSERT_TRUE(p);
+  EXPECT_EQ(p->text, example6);
+  EXPECT_EQ(p->version, Version::v2012_10_17);
+  EXPECT_FALSE(p->id);
+  EXPECT_FALSE(p->statements[0].sid);
+  EXPECT_FALSE(p->statements.empty());
+  EXPECT_EQ(p->statements.size(), 1U);
+  EXPECT_TRUE(p->statements[0].princ.empty());
+  EXPECT_TRUE(p->statements[0].noprinc.empty());
+  EXPECT_EQ(p->statements[0].effect, Effect::Allow);
+  Action_t act;
+  for (auto i = 0U; i <= iamAll; i++)
+    act[i] = 1;
+  EXPECT_EQ(p->statements[0].action, act);
+  EXPECT_EQ(p->statements[0].notaction, None);
+  ASSERT_FALSE(p->statements[0].resource.empty());
+  ASSERT_EQ(p->statements[0].resource.size(), 1U);
+  EXPECT_EQ(p->statements[0].resource.begin()->partition, Partition::aws);
+  EXPECT_EQ(p->statements[0].resource.begin()->service, Service::iam);
+  EXPECT_EQ(p->statements[0].resource.begin()->region, "");
+  EXPECT_EQ(p->statements[0].resource.begin()->account, arbitrary_tenant);
+  EXPECT_EQ(p->statements[0].resource.begin()->resource, "user/A");
+  EXPECT_TRUE(p->statements[0].notresource.empty());
+  EXPECT_TRUE(p->statements[0].conditions.empty());
+}
+
+TEST_F(PolicyTest, Eval6) {
+  auto p  = Policy(cct.get(), arbitrary_tenant,
+                  bufferlist::static_from_string(example6));
+  Environment e;
+
+  EXPECT_EQ(p.eval(e, none, iamCreateRole,
+                  ARN(Partition::aws, Service::iam,
+                      "", arbitrary_tenant, "user/A")),
+           Effect::Allow);
+
+  EXPECT_EQ(p.eval(e, none, s3ListBucket,
+                  ARN(Partition::aws, Service::iam,
+                      "", arbitrary_tenant, "user/A")),
+           Effect::Allow);
+}
+
  const string PolicyTest::arbitrary_tenant = "arbitrary_tenant";
  string PolicyTest::example1 = R"(
  {
@@ -546,6 +698,38 @@ string PolicyTest::example3 = R"(
  }
  )";
  
+string PolicyTest::example4 = R"(
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Effect": "Allow",
+    "Action": "iam:CreateRole",
+    "Resource": "*"
+  }
+}
+)";
+
+string PolicyTest::example5 = R"(
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Effect": "Allow",
+    "Action": "iam:*",
+    "Resource": "arn:aws:iam:::role/example_role"
+  }
+}
+)";
+
+string PolicyTest::example6 = R"(
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Effect": "Allow",
+    "Action": "*",
+    "Resource": "arn:aws:iam:::user/A"
+  }
+}
+)";
  class IPPolicyTest : public ::testing::Test {
  protected:
    intrusive_ptr<CephContext> cct;
author	Pritha Srivastava <prsrivas@redhat.com>
	Thu, 24 May 2018 06:51:18 +0000 (12:21 +0530)
committer	Pritha Srivastava <prsrivas@redhat.com>
	Mon, 2 Jul 2018 10:12:07 +0000 (15:42 +0530)
src/rgw/rgw_iam_policy.cc		patch \| blob \| history
src/rgw/rgw_iam_policy.h		patch \| blob \| history
src/test/rgw/test_rgw_iam_policy.cc		patch \| blob \| history