Maxim Zhiltsov
3 years ago
committed by
GitHub
parent
03dd995bc3
commit
4e97c243d6
@ -0,0 +1,2 @@
|
||||
# Autogenerated files
|
||||
/*_test.gen.rego
|
||||
@ -1,404 +0,0 @@
|
||||
package analytics
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_ADMIN_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 76, "privilege": "admin"}, "organization": null}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_ADMIN_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 70, "privilege": "admin"}, "organization": null}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_BUSINESS_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 45, "privilege": "business"}, "organization": null}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_BUSINESS_membership_NONE {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 11, "privilege": "business"}, "organization": null}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_USER_membership_NONE {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 70, "privilege": "user"}, "organization": null}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_USER_membership_NONE {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 52, "privilege": "user"}, "organization": null}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_WORKER_membership_NONE {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 34, "privilege": "worker"}, "organization": null}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_WORKER_membership_NONE {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 70, "privilege": "worker"}, "organization": null}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_NONE_membership_NONE {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 73, "privilege": "none"}, "organization": null}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_NONE_membership_NONE {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 98, "privilege": "none"}, "organization": null}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_OWNER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 56, "privilege": "admin"}, "organization": {"id": 112, "owner": {"id": 56}, "user": {"role": "owner"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_OWNER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 98, "privilege": "admin"}, "organization": {"id": 114, "owner": {"id": 98}, "user": {"role": "owner"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_MAINTAINER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 31, "privilege": "admin"}, "organization": {"id": 115, "owner": {"id": 244}, "user": {"role": "maintainer"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_MAINTAINER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 40, "privilege": "admin"}, "organization": {"id": 190, "owner": {"id": 208}, "user": {"role": "maintainer"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 57, "privilege": "admin"}, "organization": {"id": 137, "owner": {"id": 294}, "user": {"role": "supervisor"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 65, "privilege": "admin"}, "organization": {"id": 193, "owner": {"id": 253}, "user": {"role": "supervisor"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_WORKER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 11, "privilege": "admin"}, "organization": {"id": 140, "owner": {"id": 257}, "user": {"role": "worker"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_WORKER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 29, "privilege": "admin"}, "organization": {"id": 133, "owner": {"id": 291}, "user": {"role": "worker"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 25, "privilege": "admin"}, "organization": {"id": 185, "owner": {"id": 266}, "user": {"role": null}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 9, "privilege": "admin"}, "organization": {"id": 199, "owner": {"id": 225}, "user": {"role": null}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_OWNER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 40, "privilege": "business"}, "organization": {"id": 144, "owner": {"id": 40}, "user": {"role": "owner"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_OWNER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 74, "privilege": "business"}, "organization": {"id": 141, "owner": {"id": 74}, "user": {"role": "owner"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_MAINTAINER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 18, "privilege": "business"}, "organization": {"id": 137, "owner": {"id": 275}, "user": {"role": "maintainer"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_MAINTAINER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 4, "privilege": "business"}, "organization": {"id": 105, "owner": {"id": 285}, "user": {"role": "maintainer"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 45, "privilege": "business"}, "organization": {"id": 102, "owner": {"id": 291}, "user": {"role": "supervisor"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_SUPERVISOR {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 66, "privilege": "business"}, "organization": {"id": 152, "owner": {"id": 255}, "user": {"role": "supervisor"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_WORKER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 65, "privilege": "business"}, "organization": {"id": 198, "owner": {"id": 227}, "user": {"role": "worker"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_WORKER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 74, "privilege": "business"}, "organization": {"id": 125, "owner": {"id": 208}, "user": {"role": "worker"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 99, "privilege": "business"}, "organization": {"id": 115, "owner": {"id": 276}, "user": {"role": null}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_NONE {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 57, "privilege": "business"}, "organization": {"id": 190, "owner": {"id": 253}, "user": {"role": null}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_OWNER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 54, "privilege": "user"}, "organization": {"id": 130, "owner": {"id": 54}, "user": {"role": "owner"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_OWNER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 74, "privilege": "user"}, "organization": {"id": 145, "owner": {"id": 74}, "user": {"role": "owner"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_MAINTAINER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 44, "privilege": "user"}, "organization": {"id": 157, "owner": {"id": 223}, "user": {"role": "maintainer"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_MAINTAINER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 55, "privilege": "user"}, "organization": {"id": 142, "owner": {"id": 292}, "user": {"role": "maintainer"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_SUPERVISOR {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 7, "privilege": "user"}, "organization": {"id": 154, "owner": {"id": 243}, "user": {"role": "supervisor"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_SUPERVISOR {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 72, "privilege": "user"}, "organization": {"id": 199, "owner": {"id": 225}, "user": {"role": "supervisor"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_WORKER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 82, "privilege": "user"}, "organization": {"id": 148, "owner": {"id": 273}, "user": {"role": "worker"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_WORKER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 27, "privilege": "user"}, "organization": {"id": 147, "owner": {"id": 296}, "user": {"role": "worker"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_NONE {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 35, "privilege": "user"}, "organization": {"id": 146, "owner": {"id": 298}, "user": {"role": null}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_NONE {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 8, "privilege": "user"}, "organization": {"id": 118, "owner": {"id": 247}, "user": {"role": null}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_OWNER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 34, "privilege": "worker"}, "organization": {"id": 112, "owner": {"id": 34}, "user": {"role": "owner"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_OWNER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 47, "privilege": "worker"}, "organization": {"id": 149, "owner": {"id": 47}, "user": {"role": "owner"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_MAINTAINER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 4, "privilege": "worker"}, "organization": {"id": 147, "owner": {"id": 277}, "user": {"role": "maintainer"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_MAINTAINER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 52, "privilege": "worker"}, "organization": {"id": 150, "owner": {"id": 233}, "user": {"role": "maintainer"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_SUPERVISOR {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 58, "privilege": "worker"}, "organization": {"id": 102, "owner": {"id": 275}, "user": {"role": "supervisor"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_SUPERVISOR {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 63, "privilege": "worker"}, "organization": {"id": 106, "owner": {"id": 258}, "user": {"role": "supervisor"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_WORKER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 11, "privilege": "worker"}, "organization": {"id": 171, "owner": {"id": 212}, "user": {"role": "worker"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_WORKER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 57, "privilege": "worker"}, "organization": {"id": 150, "owner": {"id": 216}, "user": {"role": "worker"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_NONE {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 62, "privilege": "worker"}, "organization": {"id": 112, "owner": {"id": 233}, "user": {"role": null}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_NONE {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 75, "privilege": "worker"}, "organization": {"id": 146, "owner": {"id": 241}, "user": {"role": null}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_OWNER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 75, "privilege": "none"}, "organization": {"id": 122, "owner": {"id": 75}, "user": {"role": "owner"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_OWNER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 54, "privilege": "none"}, "organization": {"id": 181, "owner": {"id": 54}, "user": {"role": "owner"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_MAINTAINER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 44, "privilege": "none"}, "organization": {"id": 159, "owner": {"id": 238}, "user": {"role": "maintainer"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_MAINTAINER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 65, "privilege": "none"}, "organization": {"id": 152, "owner": {"id": 296}, "user": {"role": "maintainer"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_SUPERVISOR {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 41, "privilege": "none"}, "organization": {"id": 188, "owner": {"id": 223}, "user": {"role": "supervisor"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_SUPERVISOR {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 84, "privilege": "none"}, "organization": {"id": 132, "owner": {"id": 284}, "user": {"role": "supervisor"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_WORKER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 15, "privilege": "none"}, "organization": {"id": 136, "owner": {"id": 216}, "user": {"role": "worker"}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_WORKER {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 83, "privilege": "none"}, "organization": {"id": 106, "owner": {"id": 258}, "user": {"role": "worker"}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_NONE {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 35, "privilege": "none"}, "organization": {"id": 178, "owner": {"id": 246}, "user": {"role": null}}}, "resource": {"visibility": "public"}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_NONE {
|
||||
not allow with input as {"scope": "view", "auth": {"user": {"id": 3, "privilege": "none"}, "organization": {"id": 181, "owner": {"id": 234}, "user": {"role": null}}}, "resource": {"visibility": "private"}}
|
||||
}
|
||||
|
||||
|
||||
|
||||
# analytics_test.gen.py
|
||||
# # Copyright (C) 2022 Intel Corporation
|
||||
# #
|
||||
# # SPDX-License-Identifier: MIT
|
||||
#
|
||||
# import csv
|
||||
# import json
|
||||
# import random
|
||||
# import sys
|
||||
# import os
|
||||
# from itertools import product
|
||||
# from tkinter.messagebox import NO
|
||||
#
|
||||
# NAME = 'analytics'
|
||||
#
|
||||
# def read_rules(name):
|
||||
# rules = []
|
||||
# with open(os.path.join(sys.argv[1], f'{name}.csv')) as f:
|
||||
# reader = csv.DictReader(f)
|
||||
# for row in reader:
|
||||
# row = {k.lower():v.lower().replace('n/a','na') for k,v in row.items()}
|
||||
# row['limit'] = row['limit'].replace('none', 'None')
|
||||
# found = False
|
||||
# for col,val in row.items():
|
||||
# if col in ["limit", "method", "url"]:
|
||||
# continue
|
||||
# complex_val = [v.strip() for v in val.split(',')]
|
||||
# if len(complex_val) > 1:
|
||||
# found = True
|
||||
# for item in complex_val:
|
||||
# new_row = row.copy()
|
||||
# new_row[col] = item
|
||||
# rules.append(new_row)
|
||||
# if not found:
|
||||
# rules.append(row)
|
||||
#
|
||||
# return rules
|
||||
#
|
||||
# simple_rules = read_rules(NAME)
|
||||
#
|
||||
# SCOPES = {rule['scope'] for rule in simple_rules}
|
||||
# CONTEXTS = ['sandbox', 'organization']
|
||||
# OWNERSHIPS = ['none']
|
||||
# GROUPS = ['admin', 'business', 'user', 'worker', 'none']
|
||||
# ORG_ROLES = ['owner', 'maintainer', 'supervisor', 'worker', None]
|
||||
#
|
||||
# def RESOURCES(scope):
|
||||
# if scope == 'view':
|
||||
# return [
|
||||
# {'visibility': 'public'},
|
||||
# {'visibility': 'private'},
|
||||
# ]
|
||||
#
|
||||
# return [None]
|
||||
#
|
||||
# def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
# if privilege == 'admin':
|
||||
# return True
|
||||
#
|
||||
# rules = list(filter(lambda r: scope == r['scope'], simple_rules))
|
||||
# rules = list(filter(lambda r: r['context'] == 'na' or context == r['context'], rules))
|
||||
# rules = list(filter(lambda r: r['ownership'] == 'na' or ownership == r['ownership'], rules))
|
||||
# rules = list(filter(lambda r: r['membership'] == 'na' or
|
||||
# ORG_ROLES.index(membership) <= ORG_ROLES.index(r['membership']), rules))
|
||||
# rules = list(filter(lambda r: GROUPS.index(privilege) <= GROUPS.index(r['privilege']), rules))
|
||||
# resource = data['resource']
|
||||
# rules = list(filter(lambda r: eval(r['limit'], {'resource': resource}), rules))
|
||||
#
|
||||
# return bool(rules)
|
||||
#
|
||||
# def get_data(scope, context, ownership, privilege, membership, resource):
|
||||
# data = {
|
||||
# "scope": scope,
|
||||
# "auth": {
|
||||
# "user": { "id": random.randrange(0,100), "privilege": privilege },
|
||||
# "organization": {
|
||||
# "id": random.randrange(100,200),
|
||||
# "owner": { "id": random.randrange(200, 300) },
|
||||
# "user": { "role": membership }
|
||||
# } if context == 'organization' else None
|
||||
# },
|
||||
# "resource": resource
|
||||
# }
|
||||
#
|
||||
# user_id = data['auth']['user']['id']
|
||||
# if context == 'organization':
|
||||
# if data['auth']['organization']['user']['role'] == 'owner':
|
||||
# data['auth']['organization']['owner']['id'] = user_id
|
||||
#
|
||||
# return data
|
||||
#
|
||||
# def _get_name(prefix, **kwargs):
|
||||
# name = prefix
|
||||
# for k,v in kwargs.items():
|
||||
# if k == 'resource':
|
||||
# continue
|
||||
# prefix = '_' + str(k)
|
||||
# if isinstance(v, dict):
|
||||
# if 'id' in v:
|
||||
# v = v.copy()
|
||||
# v.pop('id')
|
||||
# if v:
|
||||
# name += _get_name(prefix, **v)
|
||||
# else:
|
||||
# name += ''.join(map(lambda c: c if c.isalnum() else {'@':'_IN_'}.get(c, '_'),
|
||||
# f'{prefix}_{str(v).upper()}'))
|
||||
#
|
||||
# return name
|
||||
#
|
||||
# def get_name(scope, context, ownership, privilege, membership, resource):
|
||||
# return _get_name('test', **locals())
|
||||
#
|
||||
# def is_valid(scope, context, ownership, privilege, membership, resource):
|
||||
# if context == "sandbox" and membership:
|
||||
# return False
|
||||
# if scope == 'list' and ownership != 'None':
|
||||
# return False
|
||||
#
|
||||
# return True
|
||||
#
|
||||
# def gen_test_rego(name):
|
||||
# with open(f'{name}_test.gen.rego', 'wt') as f:
|
||||
# f.write(f'package {name}\n\n')
|
||||
# for scope, context, ownership, privilege, membership in product(
|
||||
# SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES):
|
||||
# for resource in RESOURCES(scope):
|
||||
# if not is_valid(scope, context, ownership, privilege, membership, resource):
|
||||
# continue
|
||||
#
|
||||
# data = get_data(scope, context, ownership, privilege, membership, resource)
|
||||
# test_name = get_name(scope, context, ownership, privilege, membership, resource)
|
||||
# result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
# f.write('{test_name} {{\n {allow} with input as {data}\n}}\n\n'.format(
|
||||
# test_name=test_name, allow='allow' if result else 'not allow',
|
||||
# data=json.dumps(data)))
|
||||
#
|
||||
# # Write the script which is used to generate the file
|
||||
# with open(sys.argv[0]) as this_file:
|
||||
# f.write(f'\n\n# {os.path.split(sys.argv[0])[1]}\n')
|
||||
# for line in this_file:
|
||||
# if line.strip():
|
||||
# f.write(f'# {line}')
|
||||
# else:
|
||||
# f.write(f'#\n')
|
||||
#
|
||||
# # Write rules which are used to generate the file
|
||||
# with open(os.path.join(sys.argv[1], f'{name}.csv')) as rego_file:
|
||||
# f.write(f'\n\n# {name}.csv\n')
|
||||
# for line in rego_file:
|
||||
# if line.strip():
|
||||
# f.write(f'# {line}')
|
||||
# else:
|
||||
# f.write(f'#\n')
|
||||
#
|
||||
# gen_test_rego(NAME)
|
||||
|
||||
# analytics.csv
|
||||
# Scope,Resource,Context,Ownership,Limit,Method,URL,Privilege,Membership
|
||||
# view,Analytics,N/A,N/A,resource['visibility']=='public',GET,"/analytics",business,N/A
|
||||
# view,Analytics,N/A,N/A,,GET,"/analytics",admin,N/A
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,525 +0,0 @@
|
||||
package lambda
|
||||
|
||||
test_scope_CALL_ONLINE_context_SANDBOX_ownership_NONE_privilege_ADMIN_membership_NONE {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 70, "privilege": "admin"}, "organization": null}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_SANDBOX_ownership_NONE_privilege_BUSINESS_membership_NONE {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 35, "privilege": "business"}, "organization": null}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_SANDBOX_ownership_NONE_privilege_USER_membership_NONE {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 6, "privilege": "user"}, "organization": null}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_SANDBOX_ownership_NONE_privilege_WORKER_membership_NONE {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 65, "privilege": "worker"}, "organization": null}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_SANDBOX_ownership_NONE_privilege_NONE_membership_NONE {
|
||||
not allow with input as {"scope": "call:online", "auth": {"user": {"id": 51, "privilege": "none"}, "organization": null}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_OWNER {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 68, "privilege": "admin"}, "organization": {"id": 184, "owner": {"id": 68}, "user": {"role": "owner"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_MAINTAINER {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 46, "privilege": "admin"}, "organization": {"id": 185, "owner": {"id": 226}, "user": {"role": "maintainer"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 91, "privilege": "admin"}, "organization": {"id": 107, "owner": {"id": 280}, "user": {"role": "supervisor"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_WORKER {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 78, "privilege": "admin"}, "organization": {"id": 115, "owner": {"id": 243}, "user": {"role": "worker"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_NONE {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 45, "privilege": "admin"}, "organization": {"id": 117, "owner": {"id": 209}, "user": {"role": null}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_OWNER {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 76, "privilege": "business"}, "organization": {"id": 134, "owner": {"id": 76}, "user": {"role": "owner"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_MAINTAINER {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 78, "privilege": "business"}, "organization": {"id": 105, "owner": {"id": 247}, "user": {"role": "maintainer"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 5, "privilege": "business"}, "organization": {"id": 168, "owner": {"id": 297}, "user": {"role": "supervisor"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_WORKER {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 36, "privilege": "business"}, "organization": {"id": 112, "owner": {"id": 221}, "user": {"role": "worker"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_NONE {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 63, "privilege": "business"}, "organization": {"id": 136, "owner": {"id": 232}, "user": {"role": null}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_OWNER {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 10, "privilege": "user"}, "organization": {"id": 143, "owner": {"id": 10}, "user": {"role": "owner"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_MAINTAINER {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 90, "privilege": "user"}, "organization": {"id": 183, "owner": {"id": 291}, "user": {"role": "maintainer"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 99, "privilege": "user"}, "organization": {"id": 177, "owner": {"id": 247}, "user": {"role": "supervisor"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_WORKER {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 94, "privilege": "user"}, "organization": {"id": 163, "owner": {"id": 275}, "user": {"role": "worker"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_NONE {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 52, "privilege": "user"}, "organization": {"id": 198, "owner": {"id": 275}, "user": {"role": null}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_OWNER {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 79, "privilege": "worker"}, "organization": {"id": 108, "owner": {"id": 79}, "user": {"role": "owner"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_MAINTAINER {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 26, "privilege": "worker"}, "organization": {"id": 176, "owner": {"id": 298}, "user": {"role": "maintainer"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 6, "privilege": "worker"}, "organization": {"id": 121, "owner": {"id": 236}, "user": {"role": "supervisor"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_WORKER {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 97, "privilege": "worker"}, "organization": {"id": 120, "owner": {"id": 209}, "user": {"role": "worker"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_NONE {
|
||||
allow with input as {"scope": "call:online", "auth": {"user": {"id": 98, "privilege": "worker"}, "organization": {"id": 127, "owner": {"id": 230}, "user": {"role": null}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_OWNER {
|
||||
not allow with input as {"scope": "call:online", "auth": {"user": {"id": 87, "privilege": "none"}, "organization": {"id": 153, "owner": {"id": 87}, "user": {"role": "owner"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_MAINTAINER {
|
||||
not allow with input as {"scope": "call:online", "auth": {"user": {"id": 91, "privilege": "none"}, "organization": {"id": 152, "owner": {"id": 237}, "user": {"role": "maintainer"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_SUPERVISOR {
|
||||
not allow with input as {"scope": "call:online", "auth": {"user": {"id": 3, "privilege": "none"}, "organization": {"id": 168, "owner": {"id": 200}, "user": {"role": "supervisor"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_WORKER {
|
||||
not allow with input as {"scope": "call:online", "auth": {"user": {"id": 19, "privilege": "none"}, "organization": {"id": 167, "owner": {"id": 217}, "user": {"role": "worker"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_NONE {
|
||||
not allow with input as {"scope": "call:online", "auth": {"user": {"id": 36, "privilege": "none"}, "organization": {"id": 137, "owner": {"id": 281}, "user": {"role": null}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_ADMIN_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 77, "privilege": "admin"}, "organization": null}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_BUSINESS_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 57, "privilege": "business"}, "organization": null}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_USER_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 7, "privilege": "user"}, "organization": null}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_WORKER_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 52, "privilege": "worker"}, "organization": null}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_NONE_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 16, "privilege": "none"}, "organization": null}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_OWNER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 75, "privilege": "admin"}, "organization": {"id": 128, "owner": {"id": 75}, "user": {"role": "owner"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_MAINTAINER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 66, "privilege": "admin"}, "organization": {"id": 131, "owner": {"id": 281}, "user": {"role": "maintainer"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 46, "privilege": "admin"}, "organization": {"id": 148, "owner": {"id": 243}, "user": {"role": "supervisor"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_WORKER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 31, "privilege": "admin"}, "organization": {"id": 186, "owner": {"id": 245}, "user": {"role": "worker"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 51, "privilege": "admin"}, "organization": {"id": 164, "owner": {"id": 216}, "user": {"role": null}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_OWNER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 10, "privilege": "business"}, "organization": {"id": 172, "owner": {"id": 10}, "user": {"role": "owner"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_MAINTAINER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 47, "privilege": "business"}, "organization": {"id": 170, "owner": {"id": 269}, "user": {"role": "maintainer"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 87, "privilege": "business"}, "organization": {"id": 151, "owner": {"id": 294}, "user": {"role": "supervisor"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_WORKER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 20, "privilege": "business"}, "organization": {"id": 110, "owner": {"id": 273}, "user": {"role": "worker"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 34, "privilege": "business"}, "organization": {"id": 156, "owner": {"id": 235}, "user": {"role": null}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_OWNER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 76, "privilege": "user"}, "organization": {"id": 138, "owner": {"id": 76}, "user": {"role": "owner"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_MAINTAINER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 85, "privilege": "user"}, "organization": {"id": 129, "owner": {"id": 200}, "user": {"role": "maintainer"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 68, "privilege": "user"}, "organization": {"id": 123, "owner": {"id": 202}, "user": {"role": "supervisor"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_WORKER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 94, "privilege": "user"}, "organization": {"id": 103, "owner": {"id": 290}, "user": {"role": "worker"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 37, "privilege": "user"}, "organization": {"id": 106, "owner": {"id": 233}, "user": {"role": null}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_OWNER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 6, "privilege": "worker"}, "organization": {"id": 146, "owner": {"id": 6}, "user": {"role": "owner"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_MAINTAINER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 54, "privilege": "worker"}, "organization": {"id": 192, "owner": {"id": 230}, "user": {"role": "maintainer"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 72, "privilege": "worker"}, "organization": {"id": 112, "owner": {"id": 257}, "user": {"role": "supervisor"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_WORKER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 5, "privilege": "worker"}, "organization": {"id": 196, "owner": {"id": 252}, "user": {"role": "worker"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 20, "privilege": "worker"}, "organization": {"id": 100, "owner": {"id": 279}, "user": {"role": null}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_OWNER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 65, "privilege": "none"}, "organization": {"id": 198, "owner": {"id": 65}, "user": {"role": "owner"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_MAINTAINER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 36, "privilege": "none"}, "organization": {"id": 179, "owner": {"id": 298}, "user": {"role": "maintainer"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 67, "privilege": "none"}, "organization": {"id": 125, "owner": {"id": 256}, "user": {"role": "supervisor"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_WORKER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 35, "privilege": "none"}, "organization": {"id": 111, "owner": {"id": 270}, "user": {"role": "worker"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 12, "privilege": "none"}, "organization": {"id": 160, "owner": {"id": 247}, "user": {"role": null}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_SANDBOX_ownership_NONE_privilege_ADMIN_membership_NONE {
|
||||
allow with input as {"scope": "call:offline", "auth": {"user": {"id": 99, "privilege": "admin"}, "organization": null}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_SANDBOX_ownership_NONE_privilege_BUSINESS_membership_NONE {
|
||||
allow with input as {"scope": "call:offline", "auth": {"user": {"id": 33, "privilege": "business"}, "organization": null}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_SANDBOX_ownership_NONE_privilege_USER_membership_NONE {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 80, "privilege": "user"}, "organization": null}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_SANDBOX_ownership_NONE_privilege_WORKER_membership_NONE {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 42, "privilege": "worker"}, "organization": null}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_SANDBOX_ownership_NONE_privilege_NONE_membership_NONE {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 9, "privilege": "none"}, "organization": null}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_OWNER {
|
||||
allow with input as {"scope": "call:offline", "auth": {"user": {"id": 4, "privilege": "admin"}, "organization": {"id": 172, "owner": {"id": 4}, "user": {"role": "owner"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_MAINTAINER {
|
||||
allow with input as {"scope": "call:offline", "auth": {"user": {"id": 82, "privilege": "admin"}, "organization": {"id": 195, "owner": {"id": 266}, "user": {"role": "maintainer"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "call:offline", "auth": {"user": {"id": 66, "privilege": "admin"}, "organization": {"id": 130, "owner": {"id": 291}, "user": {"role": "supervisor"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_WORKER {
|
||||
allow with input as {"scope": "call:offline", "auth": {"user": {"id": 45, "privilege": "admin"}, "organization": {"id": 189, "owner": {"id": 265}, "user": {"role": "worker"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_NONE {
|
||||
allow with input as {"scope": "call:offline", "auth": {"user": {"id": 49, "privilege": "admin"}, "organization": {"id": 196, "owner": {"id": 236}, "user": {"role": null}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_OWNER {
|
||||
allow with input as {"scope": "call:offline", "auth": {"user": {"id": 2, "privilege": "business"}, "organization": {"id": 194, "owner": {"id": 2}, "user": {"role": "owner"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_MAINTAINER {
|
||||
allow with input as {"scope": "call:offline", "auth": {"user": {"id": 70, "privilege": "business"}, "organization": {"id": 172, "owner": {"id": 295}, "user": {"role": "maintainer"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "call:offline", "auth": {"user": {"id": 77, "privilege": "business"}, "organization": {"id": 170, "owner": {"id": 263}, "user": {"role": "supervisor"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_WORKER {
|
||||
allow with input as {"scope": "call:offline", "auth": {"user": {"id": 54, "privilege": "business"}, "organization": {"id": 140, "owner": {"id": 236}, "user": {"role": "worker"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_NONE {
|
||||
allow with input as {"scope": "call:offline", "auth": {"user": {"id": 81, "privilege": "business"}, "organization": {"id": 144, "owner": {"id": 234}, "user": {"role": null}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_OWNER {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 23, "privilege": "user"}, "organization": {"id": 191, "owner": {"id": 23}, "user": {"role": "owner"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_MAINTAINER {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 71, "privilege": "user"}, "organization": {"id": 153, "owner": {"id": 268}, "user": {"role": "maintainer"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_SUPERVISOR {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 81, "privilege": "user"}, "organization": {"id": 135, "owner": {"id": 277}, "user": {"role": "supervisor"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_WORKER {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 96, "privilege": "user"}, "organization": {"id": 111, "owner": {"id": 246}, "user": {"role": "worker"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_NONE {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 52, "privilege": "user"}, "organization": {"id": 115, "owner": {"id": 251}, "user": {"role": null}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_OWNER {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 27, "privilege": "worker"}, "organization": {"id": 166, "owner": {"id": 27}, "user": {"role": "owner"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_MAINTAINER {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 99, "privilege": "worker"}, "organization": {"id": 144, "owner": {"id": 241}, "user": {"role": "maintainer"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_SUPERVISOR {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 54, "privilege": "worker"}, "organization": {"id": 191, "owner": {"id": 235}, "user": {"role": "supervisor"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_WORKER {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 23, "privilege": "worker"}, "organization": {"id": 138, "owner": {"id": 248}, "user": {"role": "worker"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_NONE {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 78, "privilege": "worker"}, "organization": {"id": 157, "owner": {"id": 294}, "user": {"role": null}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_OWNER {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 25, "privilege": "none"}, "organization": {"id": 102, "owner": {"id": 25}, "user": {"role": "owner"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_MAINTAINER {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 76, "privilege": "none"}, "organization": {"id": 158, "owner": {"id": 283}, "user": {"role": "maintainer"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_SUPERVISOR {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 20, "privilege": "none"}, "organization": {"id": 133, "owner": {"id": 202}, "user": {"role": "supervisor"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_WORKER {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 70, "privilege": "none"}, "organization": {"id": 117, "owner": {"id": 230}, "user": {"role": "worker"}}}, "resource": null}
|
||||
}
|
||||
|
||||
test_scope_CALL_OFFLINE_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_NONE {
|
||||
not allow with input as {"scope": "call:offline", "auth": {"user": {"id": 76, "privilege": "none"}, "organization": {"id": 157, "owner": {"id": 242}, "user": {"role": null}}}, "resource": null}
|
||||
}
|
||||
|
||||
|
||||
|
||||
# lambda_test.gen.repo.py
|
||||
# # Copyright (C) 2021-2022 Intel Corporation
|
||||
# #
|
||||
# # SPDX-License-Identifier: MIT
|
||||
#
|
||||
# # Copyright (C) 2021-2022 Intel Corporation
|
||||
# #
|
||||
# # SPDX-License-Identifier: MIT
|
||||
#
|
||||
# import csv
|
||||
# import json
|
||||
# import random
|
||||
# import sys
|
||||
# import os
|
||||
# from itertools import product
|
||||
#
|
||||
#
|
||||
# NAME = 'lambda'
|
||||
#
|
||||
# def read_rules(name):
|
||||
# rules = []
|
||||
# with open(os.path.join(sys.argv[1], f'{name}.csv')) as f:
|
||||
# reader = csv.DictReader(f)
|
||||
# for row in reader:
|
||||
# row = {k.lower():v.lower().replace('n/a','na') for k,v in row.items()}
|
||||
# row['limit'] = row['limit'].replace('none', 'None')
|
||||
# found = False
|
||||
# for col,val in row.items():
|
||||
# if col in ["limit", "method", "url", "resource"]:
|
||||
# continue
|
||||
# complex_val = [v.strip() for v in val.split(',')]
|
||||
# if len(complex_val) > 1:
|
||||
# found = True
|
||||
# for item in complex_val:
|
||||
# new_row = row.copy()
|
||||
# new_row[col] = item
|
||||
# rules.append(new_row)
|
||||
# if not found:
|
||||
# rules.append(row)
|
||||
#
|
||||
# return rules
|
||||
#
|
||||
# simple_rules = read_rules(NAME)
|
||||
#
|
||||
# SCOPES = list({rule['scope'] for rule in simple_rules})
|
||||
# CONTEXTS = ['sandbox', 'organization']
|
||||
# OWNERSHIPS = ['none']
|
||||
# GROUPS = ['admin', 'business', 'user', 'worker', 'none']
|
||||
# ORG_ROLES = ['owner', 'maintainer', 'supervisor', 'worker', None]
|
||||
#
|
||||
# def RESOURCES(scope):
|
||||
# return [None]
|
||||
#
|
||||
# def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
# if privilege == 'admin':
|
||||
# return True
|
||||
#
|
||||
# rules = list(filter(lambda r: scope == r['scope'], simple_rules))
|
||||
# rules = list(filter(lambda r: r['context'] == 'na' or context == r['context'], rules))
|
||||
# rules = list(filter(lambda r: r['ownership'] == 'na' or ownership == r['ownership'], rules))
|
||||
# rules = list(filter(lambda r: r['membership'] == 'na' or
|
||||
# ORG_ROLES.index(membership) <= ORG_ROLES.index(r['membership']), rules))
|
||||
# rules = list(filter(lambda r: GROUPS.index(privilege) <= GROUPS.index(r['privilege']), rules))
|
||||
# resource = data['resource']
|
||||
# rules = list(filter(lambda r: not r['limit'] or eval(r['limit'], {'resource': resource}), rules))
|
||||
#
|
||||
# return bool(rules)
|
||||
#
|
||||
# def get_data(scope, context, ownership, privilege, membership, resource):
|
||||
# data = {
|
||||
# "scope": scope,
|
||||
# "auth": {
|
||||
# "user": { "id": random.randrange(0,100), "privilege": privilege },
|
||||
# "organization": {
|
||||
# "id": random.randrange(100,200),
|
||||
# "owner": { "id": random.randrange(200, 300) },
|
||||
# "user": { "role": membership }
|
||||
# } if context == 'organization' else None
|
||||
# },
|
||||
# "resource": resource
|
||||
# }
|
||||
#
|
||||
# user_id = data['auth']['user']['id']
|
||||
# if context == 'organization':
|
||||
# if data['auth']['organization']['user']['role'] == 'owner':
|
||||
# data['auth']['organization']['owner']['id'] = user_id
|
||||
#
|
||||
# return data
|
||||
#
|
||||
# def _get_name(prefix, **kwargs):
|
||||
# name = prefix
|
||||
# for k,v in kwargs.items():
|
||||
# if k == 'resource':
|
||||
# continue
|
||||
# prefix = '_' + str(k)
|
||||
# if isinstance(v, dict):
|
||||
# if 'id' in v:
|
||||
# v = v.copy()
|
||||
# v.pop('id')
|
||||
# if v:
|
||||
# name += _get_name(prefix, **v)
|
||||
# else:
|
||||
# name += ''.join(map(lambda c: c if c.isalnum() else {'@':'_IN_'}.get(c, '_'),
|
||||
# f'{prefix}_{str(v).upper()}'))
|
||||
#
|
||||
# return name
|
||||
#
|
||||
# def get_name(scope, context, ownership, privilege, membership, resource):
|
||||
# return _get_name('test', **locals())
|
||||
#
|
||||
# def is_valid(scope, context, ownership, privilege, membership, resource):
|
||||
# if context == "sandbox" and membership:
|
||||
# return False
|
||||
# if scope == 'list' and ownership != 'None':
|
||||
# return False
|
||||
#
|
||||
# return True
|
||||
#
|
||||
# def gen_test_rego(name):
|
||||
# with open(f'{name}_test.gen.rego', 'wt') as f:
|
||||
# f.write(f'package {name}\n\n')
|
||||
# for scope, context, ownership, privilege, membership in product(
|
||||
# SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES):
|
||||
# for resource in RESOURCES(scope):
|
||||
# if not is_valid(scope, context, ownership, privilege, membership, resource):
|
||||
# continue
|
||||
#
|
||||
# data = get_data(scope, context, ownership, privilege, membership, resource)
|
||||
# test_name = get_name(scope, context, ownership, privilege, membership, resource)
|
||||
# result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
# f.write('{test_name} {{\n {allow} with input as {data}\n}}\n\n'.format(
|
||||
# test_name=test_name, allow='allow' if result else 'not allow',
|
||||
# data=json.dumps(data)))
|
||||
#
|
||||
# # Write the script which is used to generate the file
|
||||
# with open(sys.argv[0]) as this_file:
|
||||
# f.write(f'\n\n# {os.path.split(sys.argv[0])[1]}\n')
|
||||
# for line in this_file:
|
||||
# if line.strip():
|
||||
# f.write(f'# {line}')
|
||||
# else:
|
||||
# f.write(f'#\n')
|
||||
#
|
||||
# # Write rules which are used to generate the file
|
||||
# with open(os.path.join(sys.argv[1], f'{name}.csv')) as rego_file:
|
||||
# f.write(f'\n\n# {name}.csv\n')
|
||||
# for line in rego_file:
|
||||
# if line.strip():
|
||||
# f.write(f'# {line}')
|
||||
# else:
|
||||
# f.write(f'#\n')
|
||||
#
|
||||
# gen_test_rego(NAME)
|
||||
|
||||
# lambda.csv
|
||||
# Scope,Resource,Context,Ownership,Limit,Method,URL,Privilege,Membership
|
||||
# list,N/A,N/A,N/A,,GET,/lambda/functions,None,N/A
|
||||
# view,LambdaFunction,N/A,N/A,,GET,/lambda/functions/{func_id},None,N/A
|
||||
# call:online,"LambdaFunction, Job",N/A,N/A,,POST,/lambda/functions/{func_id},Worker,N/A
|
||||
# call:offline,"LambdaFunction, Task",N/A,N/A,,POST,/lambda/requests,Business,N/A
|
||||
# call:offline,"LambdaFunction, Task",N/A,N/A,,GET,"/lambda/requests/{id}, /lambda/requests",Business,N/A
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,556 +0,0 @@
|
||||
package server
|
||||
|
||||
test_scope_LIST_CONTENT_context_SANDBOX_ownership_NONE_privilege_ADMIN_membership_NONE {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 73, "privilege": "admin"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_SANDBOX_ownership_NONE_privilege_BUSINESS_membership_NONE {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 30, "privilege": "business"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_SANDBOX_ownership_NONE_privilege_USER_membership_NONE {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 95, "privilege": "user"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_SANDBOX_ownership_NONE_privilege_WORKER_membership_NONE {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 43, "privilege": "worker"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_SANDBOX_ownership_NONE_privilege_NONE_membership_NONE {
|
||||
not allow with input as {"scope": "list:content", "auth": {"user": {"id": 4, "privilege": "none"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_OWNER {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 42, "privilege": "admin"}, "organization": {"id": 152, "owner": {"id": 42}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_MAINTAINER {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 98, "privilege": "admin"}, "organization": {"id": 144, "owner": {"id": 223}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 44, "privilege": "admin"}, "organization": {"id": 169, "owner": {"id": 266}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_WORKER {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 1, "privilege": "admin"}, "organization": {"id": 174, "owner": {"id": 260}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_OWNER {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 56, "privilege": "business"}, "organization": {"id": 136, "owner": {"id": 56}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_MAINTAINER {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 42, "privilege": "business"}, "organization": {"id": 124, "owner": {"id": 258}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 57, "privilege": "business"}, "organization": {"id": 160, "owner": {"id": 218}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_WORKER {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 79, "privilege": "business"}, "organization": {"id": 198, "owner": {"id": 228}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_OWNER {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 4, "privilege": "user"}, "organization": {"id": 127, "owner": {"id": 4}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_MAINTAINER {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 64, "privilege": "user"}, "organization": {"id": 142, "owner": {"id": 252}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 3, "privilege": "user"}, "organization": {"id": 181, "owner": {"id": 299}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_WORKER {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 50, "privilege": "user"}, "organization": {"id": 165, "owner": {"id": 288}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_OWNER {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 83, "privilege": "worker"}, "organization": {"id": 100, "owner": {"id": 83}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_MAINTAINER {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 85, "privilege": "worker"}, "organization": {"id": 155, "owner": {"id": 285}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 11, "privilege": "worker"}, "organization": {"id": 197, "owner": {"id": 236}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_WORKER {
|
||||
allow with input as {"scope": "list:content", "auth": {"user": {"id": 46, "privilege": "worker"}, "organization": {"id": 164, "owner": {"id": 275}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_OWNER {
|
||||
not allow with input as {"scope": "list:content", "auth": {"user": {"id": 13, "privilege": "none"}, "organization": {"id": 114, "owner": {"id": 13}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_MAINTAINER {
|
||||
not allow with input as {"scope": "list:content", "auth": {"user": {"id": 65, "privilege": "none"}, "organization": {"id": 173, "owner": {"id": 236}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_SUPERVISOR {
|
||||
not allow with input as {"scope": "list:content", "auth": {"user": {"id": 41, "privilege": "none"}, "organization": {"id": 146, "owner": {"id": 259}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_LIST_CONTENT_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_WORKER {
|
||||
not allow with input as {"scope": "list:content", "auth": {"user": {"id": 56, "privilege": "none"}, "organization": {"id": 190, "owner": {"id": 271}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_SANDBOX_ownership_NONE_privilege_ADMIN_membership_NONE {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 28, "privilege": "admin"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_SANDBOX_ownership_NONE_privilege_BUSINESS_membership_NONE {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 55, "privilege": "business"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_SANDBOX_ownership_NONE_privilege_USER_membership_NONE {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 88, "privilege": "user"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_SANDBOX_ownership_NONE_privilege_WORKER_membership_NONE {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 77, "privilege": "worker"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_SANDBOX_ownership_NONE_privilege_NONE_membership_NONE {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 32, "privilege": "none"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_OWNER {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 90, "privilege": "admin"}, "organization": {"id": 125, "owner": {"id": 90}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_MAINTAINER {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 27, "privilege": "admin"}, "organization": {"id": 134, "owner": {"id": 207}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 50, "privilege": "admin"}, "organization": {"id": 101, "owner": {"id": 229}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_WORKER {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 6, "privilege": "admin"}, "organization": {"id": 175, "owner": {"id": 239}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_OWNER {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 63, "privilege": "business"}, "organization": {"id": 185, "owner": {"id": 63}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_MAINTAINER {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 47, "privilege": "business"}, "organization": {"id": 161, "owner": {"id": 239}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 5, "privilege": "business"}, "organization": {"id": 151, "owner": {"id": 226}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_WORKER {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 5, "privilege": "business"}, "organization": {"id": 188, "owner": {"id": 266}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_OWNER {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 57, "privilege": "user"}, "organization": {"id": 174, "owner": {"id": 57}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_MAINTAINER {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 63, "privilege": "user"}, "organization": {"id": 155, "owner": {"id": 280}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 0, "privilege": "user"}, "organization": {"id": 188, "owner": {"id": 243}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_WORKER {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 6, "privilege": "user"}, "organization": {"id": 158, "owner": {"id": 273}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_OWNER {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 80, "privilege": "worker"}, "organization": {"id": 142, "owner": {"id": 80}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_MAINTAINER {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 76, "privilege": "worker"}, "organization": {"id": 154, "owner": {"id": 233}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 63, "privilege": "worker"}, "organization": {"id": 153, "owner": {"id": 293}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_WORKER {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 64, "privilege": "worker"}, "organization": {"id": 191, "owner": {"id": 285}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_OWNER {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 57, "privilege": "none"}, "organization": {"id": 177, "owner": {"id": 57}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_MAINTAINER {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 40, "privilege": "none"}, "organization": {"id": 163, "owner": {"id": 271}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 94, "privilege": "none"}, "organization": {"id": 150, "owner": {"id": 236}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_LOGS_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_WORKER {
|
||||
allow with input as {"scope": "send:logs", "auth": {"user": {"id": 53, "privilege": "none"}, "organization": {"id": 152, "owner": {"id": 273}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_ADMIN_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 32, "privilege": "admin"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_BUSINESS_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 19, "privilege": "business"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_USER_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 50, "privilege": "user"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_WORKER_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 9, "privilege": "worker"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_SANDBOX_ownership_NONE_privilege_NONE_membership_NONE {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 31, "privilege": "none"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_OWNER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 24, "privilege": "admin"}, "organization": {"id": 198, "owner": {"id": 24}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_MAINTAINER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 43, "privilege": "admin"}, "organization": {"id": 158, "owner": {"id": 247}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 68, "privilege": "admin"}, "organization": {"id": 153, "owner": {"id": 254}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_WORKER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 98, "privilege": "admin"}, "organization": {"id": 102, "owner": {"id": 261}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_OWNER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 22, "privilege": "business"}, "organization": {"id": 140, "owner": {"id": 22}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_MAINTAINER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 67, "privilege": "business"}, "organization": {"id": 168, "owner": {"id": 233}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 55, "privilege": "business"}, "organization": {"id": 177, "owner": {"id": 200}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_WORKER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 29, "privilege": "business"}, "organization": {"id": 127, "owner": {"id": 283}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_OWNER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 73, "privilege": "user"}, "organization": {"id": 115, "owner": {"id": 73}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_MAINTAINER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 82, "privilege": "user"}, "organization": {"id": 178, "owner": {"id": 205}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 7, "privilege": "user"}, "organization": {"id": 172, "owner": {"id": 203}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_WORKER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 39, "privilege": "user"}, "organization": {"id": 136, "owner": {"id": 239}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_OWNER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 80, "privilege": "worker"}, "organization": {"id": 189, "owner": {"id": 80}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_MAINTAINER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 61, "privilege": "worker"}, "organization": {"id": 128, "owner": {"id": 277}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 10, "privilege": "worker"}, "organization": {"id": 136, "owner": {"id": 287}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_WORKER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 16, "privilege": "worker"}, "organization": {"id": 127, "owner": {"id": 258}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_OWNER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 44, "privilege": "none"}, "organization": {"id": 157, "owner": {"id": 44}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_MAINTAINER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 55, "privilege": "none"}, "organization": {"id": 173, "owner": {"id": 213}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 35, "privilege": "none"}, "organization": {"id": 107, "owner": {"id": 227}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_VIEW_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_WORKER {
|
||||
allow with input as {"scope": "view", "auth": {"user": {"id": 28, "privilege": "none"}, "organization": {"id": 151, "owner": {"id": 217}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_SANDBOX_ownership_NONE_privilege_ADMIN_membership_NONE {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 96, "privilege": "admin"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_SANDBOX_ownership_NONE_privilege_BUSINESS_membership_NONE {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 47, "privilege": "business"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_SANDBOX_ownership_NONE_privilege_USER_membership_NONE {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 15, "privilege": "user"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_SANDBOX_ownership_NONE_privilege_WORKER_membership_NONE {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 76, "privilege": "worker"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_SANDBOX_ownership_NONE_privilege_NONE_membership_NONE {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 94, "privilege": "none"}, "organization": null}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_OWNER {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 27, "privilege": "admin"}, "organization": {"id": 153, "owner": {"id": 27}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_MAINTAINER {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 41, "privilege": "admin"}, "organization": {"id": 119, "owner": {"id": 236}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 18, "privilege": "admin"}, "organization": {"id": 160, "owner": {"id": 260}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_ADMIN_membership_WORKER {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 34, "privilege": "admin"}, "organization": {"id": 170, "owner": {"id": 209}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_OWNER {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 56, "privilege": "business"}, "organization": {"id": 149, "owner": {"id": 56}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_MAINTAINER {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 58, "privilege": "business"}, "organization": {"id": 110, "owner": {"id": 261}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 97, "privilege": "business"}, "organization": {"id": 194, "owner": {"id": 217}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_BUSINESS_membership_WORKER {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 44, "privilege": "business"}, "organization": {"id": 153, "owner": {"id": 201}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_OWNER {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 68, "privilege": "user"}, "organization": {"id": 153, "owner": {"id": 68}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_MAINTAINER {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 54, "privilege": "user"}, "organization": {"id": 115, "owner": {"id": 270}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 95, "privilege": "user"}, "organization": {"id": 161, "owner": {"id": 265}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_WORKER {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 71, "privilege": "user"}, "organization": {"id": 102, "owner": {"id": 296}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_OWNER {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 88, "privilege": "worker"}, "organization": {"id": 104, "owner": {"id": 88}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_MAINTAINER {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 74, "privilege": "worker"}, "organization": {"id": 184, "owner": {"id": 211}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 62, "privilege": "worker"}, "organization": {"id": 166, "owner": {"id": 268}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_WORKER_membership_WORKER {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 86, "privilege": "worker"}, "organization": {"id": 186, "owner": {"id": 273}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_OWNER {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 25, "privilege": "none"}, "organization": {"id": 181, "owner": {"id": 25}, "user": {"role": "owner"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_MAINTAINER {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 23, "privilege": "none"}, "organization": {"id": 141, "owner": {"id": 291}, "user": {"role": "maintainer"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_SUPERVISOR {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 78, "privilege": "none"}, "organization": {"id": 118, "owner": {"id": 252}, "user": {"role": "supervisor"}}}}
|
||||
}
|
||||
|
||||
test_scope_SEND_EXCEPTION_context_ORGANIZATION_ownership_NONE_privilege_NONE_membership_WORKER {
|
||||
allow with input as {"scope": "send:exception", "auth": {"user": {"id": 3, "privilege": "none"}, "organization": {"id": 146, "owner": {"id": 226}, "user": {"role": "worker"}}}}
|
||||
}
|
||||
|
||||
|
||||
|
||||
# server_test.gen.rego.py
|
||||
# # Copyright (C) 2021-2022 Intel Corporation
|
||||
# #
|
||||
# # SPDX-License-Identifier: MIT
|
||||
#
|
||||
# # Copyright (C) 2021-2022 Intel Corporation
|
||||
# #
|
||||
# # SPDX-License-Identifier: MIT
|
||||
#
|
||||
# import csv
|
||||
# import json
|
||||
# import random
|
||||
# import sys
|
||||
# import os
|
||||
# from itertools import product
|
||||
#
|
||||
# NAME = 'server'
|
||||
#
|
||||
# def read_rules(name):
|
||||
# rules = []
|
||||
# with open(os.path.join(sys.argv[1], f'{name}.csv')) as f:
|
||||
# reader = csv.DictReader(f)
|
||||
# for row in reader:
|
||||
# row = {k.lower():v.lower().replace('n/a','na') for k,v in row.items()}
|
||||
# row['limit'] = row['limit'].replace('none', 'None')
|
||||
# found = False
|
||||
# for col,val in row.items():
|
||||
# if col in ["limit", "method", "url"]:
|
||||
# continue
|
||||
# complex_val = [v.strip() for v in val.split(',')]
|
||||
# if len(complex_val) > 1:
|
||||
# found = True
|
||||
# for item in complex_val:
|
||||
# new_row = row.copy()
|
||||
# new_row[col] = item
|
||||
# rules.append(new_row)
|
||||
# if not found:
|
||||
# rules.append(row)
|
||||
#
|
||||
# return rules
|
||||
#
|
||||
# simple_rules = read_rules(NAME)
|
||||
#
|
||||
# SCOPES = {rule['scope'] for rule in simple_rules}
|
||||
# CONTEXTS = ['sandbox', 'organization']
|
||||
# OWNERSHIPS = ['none']
|
||||
# GROUPS = ['admin', 'business', 'user', 'worker', 'none']
|
||||
# ORG_ROLES = ['owner', 'maintainer', 'supervisor', 'worker', None]
|
||||
#
|
||||
# def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
# if privilege == 'admin':
|
||||
# return True
|
||||
#
|
||||
# rules = list(filter(lambda r: scope == r['scope'], simple_rules))
|
||||
# rules = list(filter(lambda r: r['context'] == 'na' or context == r['context'], rules))
|
||||
# rules = list(filter(lambda r: r['ownership'] == 'na' or ownership == r['ownership'], rules))
|
||||
# rules = list(filter(lambda r: r['membership'] == 'na' or
|
||||
# ORG_ROLES.index(membership) <= ORG_ROLES.index(r['membership']), rules))
|
||||
# rules = list(filter(lambda r: GROUPS.index(privilege) <= GROUPS.index(r['privilege']), rules))
|
||||
# rules = list(filter(lambda r: not r['limit'] or eval(r['limit']), rules))
|
||||
#
|
||||
# return bool(rules)
|
||||
#
|
||||
# def get_data(scope, context, ownership, privilege, membership):
|
||||
# data = {
|
||||
# "scope": scope,
|
||||
# "auth": {
|
||||
# "user": { "id": random.randrange(0,100), "privilege": privilege },
|
||||
# "organization": {
|
||||
# "id": random.randrange(100,200),
|
||||
# "owner": { "id": random.randrange(200, 300) },
|
||||
# "user": { "role": membership }
|
||||
# } if context == 'organization' else None
|
||||
# }
|
||||
# }
|
||||
#
|
||||
# user_id = data['auth']['user']['id']
|
||||
# if context == 'organization':
|
||||
# if data['auth']['organization']['user']['role'] == 'owner':
|
||||
# data['auth']['organization']['owner']['id'] = user_id
|
||||
#
|
||||
# return data
|
||||
#
|
||||
# def _get_name(prefix, **kwargs):
|
||||
# name = prefix
|
||||
# for k,v in kwargs.items():
|
||||
# prefix = '_' + str(k)
|
||||
# if isinstance(v, dict):
|
||||
# if 'id' in v:
|
||||
# v = v.copy()
|
||||
# v.pop('id')
|
||||
# if v:
|
||||
# name += _get_name(prefix, **v)
|
||||
# else:
|
||||
# name += f'{prefix}_{str(v).upper().replace(":", "_")}'
|
||||
#
|
||||
# return name
|
||||
#
|
||||
# def get_name(scope, context, ownership, privilege, membership):
|
||||
# return _get_name('test', **locals())
|
||||
#
|
||||
# def is_valid(scope, context, ownership, privilege, membership):
|
||||
# if context == "sandbox" and membership:
|
||||
# return False
|
||||
# if scope == 'list' and ownership != 'None':
|
||||
# return False
|
||||
# if context == "organization" and membership == None:
|
||||
# return False
|
||||
#
|
||||
# return True
|
||||
#
|
||||
# def gen_test_rego(name):
|
||||
# with open(f'{name}_test.gen.rego', 'wt') as f:
|
||||
# f.write(f'package {name}\n\n')
|
||||
# for scope, context, ownership, privilege, membership in product(
|
||||
# SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES):
|
||||
# if not is_valid(scope, context, ownership, privilege, membership):
|
||||
# continue
|
||||
#
|
||||
# data = get_data(scope, context, ownership, privilege, membership)
|
||||
# test_name = get_name(scope, context, ownership, privilege, membership)
|
||||
# result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
# f.write('{test_name} {{\n {allow} with input as {data}\n}}\n\n'.format(
|
||||
# test_name=test_name, allow='allow' if result else 'not allow',
|
||||
# data=json.dumps(data)))
|
||||
#
|
||||
# # Write the script which is used to generate the file
|
||||
# with open(sys.argv[0]) as this_file:
|
||||
# f.write(f'\n\n# {os.path.split(sys.argv[0])[1]}\n')
|
||||
# for line in this_file:
|
||||
# if line.strip():
|
||||
# f.write(f'# {line}')
|
||||
# else:
|
||||
# f.write(f'#\n')
|
||||
#
|
||||
# # Write rules which are used to generate the file
|
||||
# with open(os.path.join(sys.argv[1], f'{name}.csv')) as rego_file:
|
||||
# f.write(f'\n\n# {name}.csv\n')
|
||||
# for line in rego_file:
|
||||
# if line.strip():
|
||||
# f.write(f'# {line}')
|
||||
# else:
|
||||
# f.write(f'#\n')
|
||||
#
|
||||
# gen_test_rego(NAME)
|
||||
|
||||
# server.csv
|
||||
# Scope,Resource,Context,Ownership,Limit,Method,URL,Privilege,Membership
|
||||
# view,N/A,N/A,N/A,,GET,"/server/about, /server/annotation/formats, /server/plugins",None,N/A
|
||||
# send:exception,N/A,N/A,N/A,,POST,/server/exception,None,N/A
|
||||
# send:logs,N/A,N/A,N/A,,POST,/server/logs,None,N/A
|
||||
# list:content,N/A,N/A,N/A,,GET,/server/share,Worker,N/A
|
||||
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,3 @@
|
||||
# Open Policy Agent Tests
|
||||
|
||||
Read more [here](https://opencv.github.io/cvat/docs/contributing/running-tests/#opa-tests)
|
||||
@ -0,0 +1,73 @@
|
||||
#!/usr/bin/env python3
|
||||
#
|
||||
# Copyright (C) 2022 CVAT.ai Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
import os
|
||||
import os.path as osp
|
||||
import subprocess
|
||||
import sys
|
||||
from argparse import ArgumentParser, Namespace
|
||||
from concurrent.futures import ThreadPoolExecutor
|
||||
from functools import partial
|
||||
from glob import glob
|
||||
from typing import Optional, Sequence
|
||||
|
||||
|
||||
def create_arg_parser() -> ArgumentParser:
|
||||
parser = ArgumentParser(add_help=True)
|
||||
parser.add_argument(
|
||||
"-c",
|
||||
"--config-dir",
|
||||
default=None,
|
||||
help="The directory with test configs in CSV format (default: the default location)",
|
||||
)
|
||||
parser.add_argument(
|
||||
"-g",
|
||||
"--gen-dir",
|
||||
default=None,
|
||||
help="The directory with test generators (default: the default location)",
|
||||
)
|
||||
parser.add_argument(
|
||||
"-o",
|
||||
"--output-dir",
|
||||
default=".",
|
||||
type=osp.abspath,
|
||||
help="The output directory for rego files (default: current dir)",
|
||||
)
|
||||
return parser
|
||||
|
||||
|
||||
def parse_args(args: Optional[Sequence[str]] = None) -> Namespace:
|
||||
parser = create_arg_parser()
|
||||
parsed_args = parser.parse_args(args)
|
||||
return parsed_args
|
||||
|
||||
|
||||
def call_generator(module_path: str, gen_params: Namespace):
|
||||
subprocess.check_call(
|
||||
["python3", module_path, gen_params.config_dir], cwd=gen_params.output_dir
|
||||
)
|
||||
|
||||
|
||||
def main(args: Optional[Sequence[str]] = None) -> int:
|
||||
args = parse_args(args)
|
||||
|
||||
args.config_dir = osp.abspath(args.config_dir or osp.join(osp.dirname(__file__), "configs"))
|
||||
args.gen_dir = osp.abspath(args.gen_dir or osp.join(osp.dirname(__file__), "generators"))
|
||||
|
||||
assert osp.isdir(args.config_dir)
|
||||
assert osp.isdir(args.gen_dir)
|
||||
|
||||
os.makedirs(args.output_dir, exist_ok=True)
|
||||
|
||||
with ThreadPoolExecutor() as pool:
|
||||
pool.map(
|
||||
partial(call_generator, gen_params=args),
|
||||
glob(osp.join(args.gen_dir, "*_test.gen.rego.py")),
|
||||
)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
sys.exit(main())
|
||||
@ -0,0 +1,179 @@
|
||||
# Copyright (C) 2022 CVAT.ai Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
import csv
|
||||
import json
|
||||
import os
|
||||
import random
|
||||
import sys
|
||||
from itertools import product
|
||||
|
||||
NAME = "analytics"
|
||||
|
||||
|
||||
def read_rules(name):
|
||||
rules = []
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as f:
|
||||
reader = csv.DictReader(f)
|
||||
for row in reader:
|
||||
row = {k.lower(): v.lower().replace("n/a", "na") for k, v in row.items()}
|
||||
row["limit"] = row["limit"].replace("none", "None")
|
||||
found = False
|
||||
for col, val in row.items():
|
||||
if col in ["limit", "method", "url"]:
|
||||
continue
|
||||
complex_val = [v.strip() for v in val.split(",")]
|
||||
if len(complex_val) > 1:
|
||||
found = True
|
||||
for item in complex_val:
|
||||
new_row = row.copy()
|
||||
new_row[col] = item
|
||||
rules.append(new_row)
|
||||
if not found:
|
||||
rules.append(row)
|
||||
|
||||
return rules
|
||||
|
||||
|
||||
simple_rules = read_rules(NAME)
|
||||
|
||||
SCOPES = {rule["scope"] for rule in simple_rules}
|
||||
CONTEXTS = ["sandbox", "organization"]
|
||||
OWNERSHIPS = ["none"]
|
||||
GROUPS = ["admin", "business", "user", "worker", "none"]
|
||||
ORG_ROLES = ["owner", "maintainer", "supervisor", "worker", None]
|
||||
|
||||
|
||||
def RESOURCES(scope):
|
||||
if scope == "view":
|
||||
return [
|
||||
{"visibility": "public"},
|
||||
{"visibility": "private"},
|
||||
]
|
||||
|
||||
return [None]
|
||||
|
||||
|
||||
def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
if privilege == "admin":
|
||||
return True
|
||||
|
||||
rules = list(filter(lambda r: scope == r["scope"], simple_rules))
|
||||
rules = list(filter(lambda r: r["context"] == "na" or context == r["context"], rules))
|
||||
rules = list(filter(lambda r: r["ownership"] == "na" or ownership == r["ownership"], rules))
|
||||
rules = list(
|
||||
filter(
|
||||
lambda r: r["membership"] == "na"
|
||||
or ORG_ROLES.index(membership) <= ORG_ROLES.index(r["membership"]),
|
||||
rules,
|
||||
)
|
||||
)
|
||||
rules = list(filter(lambda r: GROUPS.index(privilege) <= GROUPS.index(r["privilege"]), rules))
|
||||
resource = data["resource"]
|
||||
rules = list(filter(lambda r: eval(r["limit"], {"resource": resource}), rules))
|
||||
|
||||
return bool(rules)
|
||||
|
||||
|
||||
def get_data(scope, context, ownership, privilege, membership, resource):
|
||||
data = {
|
||||
"scope": scope,
|
||||
"auth": {
|
||||
"user": {"id": random.randrange(0, 100), "privilege": privilege},
|
||||
"organization": {
|
||||
"id": random.randrange(100, 200),
|
||||
"owner": {"id": random.randrange(200, 300)},
|
||||
"user": {"role": membership},
|
||||
}
|
||||
if context == "organization"
|
||||
else None,
|
||||
},
|
||||
"resource": resource,
|
||||
}
|
||||
|
||||
user_id = data["auth"]["user"]["id"]
|
||||
if context == "organization":
|
||||
if data["auth"]["organization"]["user"]["role"] == "owner":
|
||||
data["auth"]["organization"]["owner"]["id"] = user_id
|
||||
|
||||
return data
|
||||
|
||||
|
||||
def _get_name(prefix, **kwargs):
|
||||
name = prefix
|
||||
for k, v in kwargs.items():
|
||||
if k == "resource":
|
||||
continue
|
||||
prefix = "_" + str(k)
|
||||
if isinstance(v, dict):
|
||||
if "id" in v:
|
||||
v = v.copy()
|
||||
v.pop("id")
|
||||
if v:
|
||||
name += _get_name(prefix, **v)
|
||||
else:
|
||||
name += "".join(
|
||||
map(
|
||||
lambda c: c if c.isalnum() else {"@": "_IN_"}.get(c, "_"),
|
||||
f"{prefix}_{str(v).upper()}",
|
||||
)
|
||||
)
|
||||
|
||||
return name
|
||||
|
||||
|
||||
def get_name(scope, context, ownership, privilege, membership, resource):
|
||||
return _get_name("test", **locals())
|
||||
|
||||
|
||||
def is_valid(scope, context, ownership, privilege, membership, resource):
|
||||
if context == "sandbox" and membership:
|
||||
return False
|
||||
if scope == "list" and ownership != "None":
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def gen_test_rego(name):
|
||||
with open(f"{name}_test.gen.rego", "wt") as f:
|
||||
f.write(f"package {name}\n\n")
|
||||
for scope, context, ownership, privilege, membership in product(
|
||||
SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES
|
||||
):
|
||||
for resource in RESOURCES(scope):
|
||||
if not is_valid(scope, context, ownership, privilege, membership, resource):
|
||||
continue
|
||||
|
||||
data = get_data(scope, context, ownership, privilege, membership, resource)
|
||||
test_name = get_name(scope, context, ownership, privilege, membership, resource)
|
||||
result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
f.write(
|
||||
"{test_name} {{\n {allow} with input as {data}\n}}\n\n".format(
|
||||
test_name=test_name,
|
||||
allow="allow" if result else "not allow",
|
||||
data=json.dumps(data),
|
||||
)
|
||||
)
|
||||
|
||||
# Write the script which is used to generate the file
|
||||
with open(sys.argv[0]) as this_file:
|
||||
f.write(f"\n\n# {os.path.split(sys.argv[0])[1]}\n")
|
||||
for line in this_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
# Write rules which are used to generate the file
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as rego_file:
|
||||
f.write(f"\n\n# {name}.csv\n")
|
||||
for line in rego_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
|
||||
gen_test_rego(NAME)
|
||||
@ -0,0 +1,205 @@
|
||||
# Copyright (C) 2022 CVAT.ai Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
import csv
|
||||
import json
|
||||
import os
|
||||
import random
|
||||
import sys
|
||||
from itertools import product
|
||||
|
||||
NAME = "cloudstorages"
|
||||
|
||||
|
||||
def read_rules(name):
|
||||
rules = []
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as f:
|
||||
reader = csv.DictReader(f)
|
||||
for row in reader:
|
||||
row = {k.lower(): v.lower().replace("n/a", "na") for k, v in row.items()}
|
||||
row["limit"] = row["limit"].replace("none", "None")
|
||||
found = False
|
||||
for col, val in row.items():
|
||||
if col in ["limit", "method", "url"]:
|
||||
continue
|
||||
complex_val = [v.strip() for v in val.split(",")]
|
||||
if len(complex_val) > 1:
|
||||
found = True
|
||||
for item in complex_val:
|
||||
new_row = row.copy()
|
||||
new_row[col] = item
|
||||
rules.append(new_row)
|
||||
if not found:
|
||||
rules.append(row)
|
||||
|
||||
return rules
|
||||
|
||||
|
||||
simple_rules = read_rules(NAME)
|
||||
|
||||
SCOPES = {rule["scope"] for rule in simple_rules}
|
||||
CONTEXTS = ["sandbox", "organization"]
|
||||
OWNERSHIPS = ["owner", "none"]
|
||||
GROUPS = ["admin", "business", "user", "worker", "none"]
|
||||
ORG_ROLES = ["owner", "maintainer", "supervisor", "worker", None]
|
||||
SAME_ORG = [False, True]
|
||||
|
||||
|
||||
def RESOURCES(scope):
|
||||
if scope == "list":
|
||||
return [None]
|
||||
else:
|
||||
return [
|
||||
{
|
||||
"id": random.randrange(300, 400),
|
||||
"owner": {"id": random.randrange(400, 500)},
|
||||
"organization": {"id": random.randrange(500, 600)},
|
||||
"user": {"num_resources": random.randrange(10)},
|
||||
}
|
||||
]
|
||||
|
||||
|
||||
def is_same_org(org1, org2):
|
||||
if org1 is not None and org2 is not None:
|
||||
return org1["id"] == org2["id"]
|
||||
elif org1 is None and org2 is None:
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
|
||||
def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
if privilege == "admin":
|
||||
return True
|
||||
|
||||
rules = list(filter(lambda r: scope == r["scope"], simple_rules))
|
||||
rules = list(filter(lambda r: r["context"] == "na" or context == r["context"], rules))
|
||||
rules = list(filter(lambda r: r["ownership"] == "na" or ownership == r["ownership"], rules))
|
||||
rules = list(
|
||||
filter(
|
||||
lambda r: r["membership"] == "na"
|
||||
or ORG_ROLES.index(membership) <= ORG_ROLES.index(r["membership"]),
|
||||
rules,
|
||||
)
|
||||
)
|
||||
rules = list(filter(lambda r: GROUPS.index(privilege) <= GROUPS.index(r["privilege"]), rules))
|
||||
resource = data["resource"]
|
||||
rules = list(
|
||||
filter(lambda r: not r["limit"] or eval(r["limit"], {"resource": resource}), rules)
|
||||
)
|
||||
if (
|
||||
not is_same_org(data["auth"]["organization"], data["resource"]["organization"])
|
||||
and context != "sandbox"
|
||||
):
|
||||
return False
|
||||
|
||||
return bool(rules)
|
||||
|
||||
|
||||
def get_data(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
data = {
|
||||
"scope": scope,
|
||||
"auth": {
|
||||
"user": {"id": random.randrange(0, 100), "privilege": privilege},
|
||||
"organization": {
|
||||
"id": random.randrange(100, 200),
|
||||
"owner": {"id": random.randrange(200, 300)},
|
||||
"user": {"role": membership},
|
||||
}
|
||||
if context == "organization"
|
||||
else None,
|
||||
},
|
||||
"resource": resource,
|
||||
}
|
||||
|
||||
user_id = data["auth"]["user"]["id"]
|
||||
if context == "organization":
|
||||
org_id = data["auth"]["organization"]["id"]
|
||||
if data["auth"]["organization"]["user"]["role"] == "owner":
|
||||
data["auth"]["organization"]["owner"]["id"] = user_id
|
||||
|
||||
if same_org:
|
||||
data["resource"]["organization"]["id"] = org_id
|
||||
|
||||
if ownership == "owner":
|
||||
data["resource"]["owner"]["id"] = user_id
|
||||
|
||||
return data
|
||||
|
||||
|
||||
def _get_name(prefix, **kwargs):
|
||||
name = prefix
|
||||
for k, v in kwargs.items():
|
||||
prefix = "_" + str(k)
|
||||
if isinstance(v, dict):
|
||||
if "id" not in v:
|
||||
name += _get_name(prefix, **v)
|
||||
else:
|
||||
name += f'{prefix}_{str(v).upper().replace(":", "_")}'
|
||||
|
||||
return name
|
||||
|
||||
|
||||
def get_name(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
return _get_name("test", **locals())
|
||||
|
||||
|
||||
def is_valid(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
if context == "sandbox" and membership:
|
||||
return False
|
||||
if scope == "list" and ownership != "None":
|
||||
return False
|
||||
if context == "sandbox" and same_org is False:
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def gen_test_rego(name):
|
||||
with open(f"{name}_test.gen.rego", "wt") as f:
|
||||
f.write(f"package {name}\n\n")
|
||||
for scope, context, ownership, privilege, membership, same_org in product(
|
||||
SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG
|
||||
):
|
||||
for resource in RESOURCES(scope):
|
||||
if not is_valid(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
):
|
||||
continue
|
||||
|
||||
data = get_data(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
)
|
||||
test_name = get_name(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
)
|
||||
result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
f.write(
|
||||
"{test_name} {{\n {allow} with input as {data}\n}}\n\n".format(
|
||||
test_name=test_name,
|
||||
allow="allow" if result else "not allow",
|
||||
data=json.dumps(data),
|
||||
)
|
||||
)
|
||||
|
||||
# Write the script which is used to generate the file
|
||||
with open(sys.argv[0]) as this_file:
|
||||
f.write(f"\n\n# {os.path.split(sys.argv[0])[1]}\n")
|
||||
for line in this_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
# Write rules which are used to generate the file
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as rego_file:
|
||||
f.write(f"\n\n# {name}.csv\n")
|
||||
for line in rego_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
|
||||
gen_test_rego(NAME)
|
||||
@ -0,0 +1,270 @@
|
||||
# Copyright (C) 2022 CVAT.ai Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
import csv
|
||||
import json
|
||||
import os
|
||||
import random
|
||||
import sys
|
||||
from itertools import product
|
||||
|
||||
NAME = "comments"
|
||||
|
||||
|
||||
def read_rules(name):
|
||||
rules = []
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as f:
|
||||
reader = csv.DictReader(f)
|
||||
for row in reader:
|
||||
row = {k.lower(): v.lower().replace("n/a", "na") for k, v in row.items()}
|
||||
row["limit"] = row["limit"].replace("none", "None")
|
||||
found = False
|
||||
for col, val in row.items():
|
||||
if col in ["limit", "method", "url", "resource"]:
|
||||
continue
|
||||
complex_val = [v.strip() for v in val.split(",")]
|
||||
if len(complex_val) > 1:
|
||||
found = True
|
||||
for item in complex_val:
|
||||
new_row = row.copy()
|
||||
new_row[col] = item
|
||||
rules.append(new_row)
|
||||
if not found:
|
||||
rules.append(row)
|
||||
|
||||
return rules
|
||||
|
||||
|
||||
simple_rules = read_rules(NAME)
|
||||
|
||||
SCOPES = list({rule["scope"] for rule in simple_rules})
|
||||
CONTEXTS = ["sandbox", "organization"]
|
||||
OWNERSHIPS = [
|
||||
"project:owner",
|
||||
"project:assignee",
|
||||
"task:owner",
|
||||
"task:assignee",
|
||||
"job:assignee",
|
||||
"issue:owner",
|
||||
"issue:assignee",
|
||||
"owner",
|
||||
"none",
|
||||
]
|
||||
GROUPS = ["admin", "business", "user", "worker", "none"]
|
||||
ORG_ROLES = ["owner", "maintainer", "supervisor", "worker", None]
|
||||
SAME_ORG = [True, False]
|
||||
HAS_PROJ = [True, False]
|
||||
|
||||
|
||||
def RESOURCES(scope):
|
||||
if scope == "list":
|
||||
return [None]
|
||||
else:
|
||||
return [
|
||||
{
|
||||
"id": random.randrange(300, 400),
|
||||
"owner": {"id": random.randrange(600, 700)},
|
||||
"assignee": {"id": random.randrange(500, 600)},
|
||||
"project": {
|
||||
"id": random.randrange(300, 400),
|
||||
"owner": {"id": random.randrange(700, 800)},
|
||||
"assignee": {"id": random.randrange(800, 900)},
|
||||
},
|
||||
"task": {
|
||||
"id": random.randrange(300, 400),
|
||||
"owner": {"id": random.randrange(900, 1000)},
|
||||
"assignee": {"id": random.randrange(1000, 1100)},
|
||||
},
|
||||
"job": {
|
||||
"id": random.randrange(300, 400),
|
||||
"assignee": {"id": random.randrange(1100, 1200)},
|
||||
},
|
||||
"issue": {
|
||||
"id": random.randrange(300, 400),
|
||||
"owner": {"id": random.randrange(1200, 1300)},
|
||||
"assignee": {"id": random.randrange(1300, 1400)},
|
||||
},
|
||||
"organization": {"id": random.randrange(1400, 1500)},
|
||||
}
|
||||
]
|
||||
|
||||
|
||||
def is_same_org(org1, org2):
|
||||
if org1 is not None and org2 is not None:
|
||||
return org1["id"] == org2["id"]
|
||||
elif org1 is None and org2 is None:
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
|
||||
def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
if privilege == "admin":
|
||||
return True
|
||||
|
||||
rules = list(filter(lambda r: scope == r["scope"], simple_rules))
|
||||
rules = list(filter(lambda r: r["context"] == "na" or context == r["context"], rules))
|
||||
rules = list(filter(lambda r: r["ownership"] == "na" or ownership == r["ownership"], rules))
|
||||
rules = list(
|
||||
filter(
|
||||
lambda r: r["membership"] == "na"
|
||||
or ORG_ROLES.index(membership) <= ORG_ROLES.index(r["membership"]),
|
||||
rules,
|
||||
)
|
||||
)
|
||||
rules = list(filter(lambda r: GROUPS.index(privilege) <= GROUPS.index(r["privilege"]), rules))
|
||||
resource = data["resource"]
|
||||
rules = list(
|
||||
filter(lambda r: not r["limit"] or eval(r["limit"], {"resource": resource}), rules)
|
||||
)
|
||||
if (
|
||||
not is_same_org(data["auth"]["organization"], data["resource"]["organization"])
|
||||
and context != "sandbox"
|
||||
):
|
||||
return False
|
||||
|
||||
return bool(rules)
|
||||
|
||||
|
||||
def get_data(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
data = {
|
||||
"scope": scope,
|
||||
"auth": {
|
||||
"user": {"id": random.randrange(0, 100), "privilege": privilege},
|
||||
"organization": {
|
||||
"id": random.randrange(100, 200),
|
||||
"owner": {"id": random.randrange(200, 300)},
|
||||
"user": {"role": membership},
|
||||
}
|
||||
if context == "organization"
|
||||
else None,
|
||||
},
|
||||
"resource": resource,
|
||||
}
|
||||
|
||||
user_id = data["auth"]["user"]["id"]
|
||||
if context == "organization":
|
||||
org_id = data["auth"]["organization"]["id"]
|
||||
if data["auth"]["organization"]["user"]["role"] == "owner":
|
||||
data["auth"]["organization"]["owner"]["id"] = user_id
|
||||
|
||||
if same_org:
|
||||
data["resource"]["organization"]["id"] = org_id
|
||||
|
||||
if ownership == "owner":
|
||||
data["resource"]["owner"]["id"] = user_id
|
||||
|
||||
if ownership == "project:owner":
|
||||
data["resource"]["project"]["owner"]["id"] = user_id
|
||||
|
||||
if ownership == "project:assignee":
|
||||
data["resource"]["project"]["assignee"]["id"] = user_id
|
||||
|
||||
if ownership == "task:owner":
|
||||
data["resource"]["task"]["owner"]["id"] = user_id
|
||||
|
||||
if ownership == "task:assignee":
|
||||
data["resource"]["task"]["assignee"]["id"] = user_id
|
||||
|
||||
if ownership == "job:assignee":
|
||||
data["resource"]["job"]["assignee"]["id"] = user_id
|
||||
|
||||
if ownership == "issue:owner":
|
||||
data["resource"]["issue"]["owner"]["id"] = user_id
|
||||
|
||||
if ownership == "issue:assignee":
|
||||
data["resource"]["issue"]["assignee"]["id"] = user_id
|
||||
|
||||
return data
|
||||
|
||||
|
||||
def _get_name(prefix, **kwargs):
|
||||
name = prefix
|
||||
for k, v in kwargs.items():
|
||||
if k == "resource":
|
||||
continue
|
||||
prefix = "_" + str(k)
|
||||
if isinstance(v, dict):
|
||||
if "id" in v:
|
||||
v = v.copy()
|
||||
v.pop("id")
|
||||
if v:
|
||||
name += _get_name(prefix, **v)
|
||||
else:
|
||||
name += "".join(
|
||||
map(
|
||||
lambda c: c if c.isalnum() else {"@": "_IN_"}.get(c, "_"),
|
||||
f"{prefix}_{str(v).upper()}",
|
||||
)
|
||||
)
|
||||
|
||||
return name
|
||||
|
||||
|
||||
def get_name(scope, context, ownership, privilege, membership, resource, same_org, has_proj):
|
||||
return _get_name("test", **locals())
|
||||
|
||||
|
||||
def is_valid(scope, context, ownership, privilege, membership, resource, same_org, has_proj):
|
||||
if context == "sandbox" and membership:
|
||||
return False
|
||||
if scope == "list" and ownership != "None":
|
||||
return False
|
||||
if context == "sandbox" and same_org is False:
|
||||
return False
|
||||
if not has_proj and ownership.startswith("project"):
|
||||
return False
|
||||
if scope == "create@issue" and ownership == "owner":
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def gen_test_rego(name):
|
||||
with open(f"{name}_test.gen.rego", "wt") as f:
|
||||
f.write(f"package {name}\n\n")
|
||||
for scope, context, ownership, privilege, membership, same_org, has_proj in product(
|
||||
SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG, HAS_PROJ
|
||||
):
|
||||
for resource in RESOURCES(scope):
|
||||
if not is_valid(
|
||||
scope, context, ownership, privilege, membership, resource, same_org, has_proj
|
||||
):
|
||||
continue
|
||||
|
||||
data = get_data(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
)
|
||||
test_name = get_name(
|
||||
scope, context, ownership, privilege, membership, resource, same_org, has_proj
|
||||
)
|
||||
result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
f.write(
|
||||
"{test_name} {{\n {allow} with input as {data}\n}}\n\n".format(
|
||||
test_name=test_name,
|
||||
allow="allow" if result else "not allow",
|
||||
data=json.dumps(data),
|
||||
)
|
||||
)
|
||||
|
||||
# Write the script which is used to generate the file
|
||||
with open(sys.argv[0]) as this_file:
|
||||
f.write(f"\n\n# {os.path.split(sys.argv[0])[1]}\n")
|
||||
for line in this_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
# Write rules which are used to generate the file
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as rego_file:
|
||||
f.write(f"\n\n# {name}.csv\n")
|
||||
for line in rego_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
|
||||
gen_test_rego(NAME)
|
||||
@ -0,0 +1,217 @@
|
||||
# Copyright (C) 2022 CVAT.ai Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
import csv
|
||||
import json
|
||||
import os
|
||||
import random
|
||||
import sys
|
||||
from itertools import product
|
||||
|
||||
NAME = "invitations"
|
||||
|
||||
|
||||
def read_rules(name):
|
||||
rules = []
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as f:
|
||||
reader = csv.DictReader(f)
|
||||
for row in reader:
|
||||
row = {k.lower(): v.lower().replace("n/a", "na") for k, v in row.items()}
|
||||
row["limit"] = row["limit"].replace("none", "None")
|
||||
found = False
|
||||
for col, val in row.items():
|
||||
if col in ["limit", "method", "url"]:
|
||||
continue
|
||||
complex_val = [v.strip() for v in val.split(",")]
|
||||
if len(complex_val) > 1:
|
||||
found = True
|
||||
for item in complex_val:
|
||||
new_row = row.copy()
|
||||
new_row[col] = item
|
||||
rules.append(new_row)
|
||||
if not found:
|
||||
rules.append(row)
|
||||
|
||||
return rules
|
||||
|
||||
|
||||
simple_rules = read_rules(NAME)
|
||||
|
||||
SCOPES = {rule["scope"] for rule in simple_rules}
|
||||
CONTEXTS = ["sandbox", "organization"]
|
||||
OWNERSHIPS = ["owner", "invitee", "none"]
|
||||
GROUPS = ["admin", "business", "user", "worker", "none"]
|
||||
ORG_ROLES = ["owner", "maintainer", "supervisor", "worker", None]
|
||||
SAME_ORG = [False, True]
|
||||
|
||||
|
||||
def RESOURCES(scope):
|
||||
if scope == "list":
|
||||
return [None]
|
||||
else:
|
||||
return [
|
||||
{
|
||||
"owner": {"id": random.randrange(300, 400)},
|
||||
"invitee": {"id": random.randrange(400, 500)},
|
||||
"role": role,
|
||||
"organization": {"id": random.randrange(500, 600)},
|
||||
}
|
||||
for role in ORG_ROLES
|
||||
if role is not None
|
||||
]
|
||||
|
||||
|
||||
def is_same_org(org1, org2):
|
||||
if org1 is not None and org2 is not None:
|
||||
return org1["id"] == org2["id"]
|
||||
elif org1 is None and org2 is None:
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
|
||||
def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
if privilege == "admin":
|
||||
return True
|
||||
|
||||
rules = list(filter(lambda r: scope == r["scope"], simple_rules))
|
||||
rules = list(filter(lambda r: r["context"] == "na" or context == r["context"], rules))
|
||||
rules = list(filter(lambda r: r["ownership"] == "na" or ownership == r["ownership"], rules))
|
||||
rules = list(
|
||||
filter(
|
||||
lambda r: r["membership"] == "na"
|
||||
or ORG_ROLES.index(membership) <= ORG_ROLES.index(r["membership"]),
|
||||
rules,
|
||||
)
|
||||
)
|
||||
rules = list(filter(lambda r: GROUPS.index(privilege) <= GROUPS.index(r["privilege"]), rules))
|
||||
resource = data["resource"]
|
||||
rules = list(
|
||||
filter(
|
||||
lambda r: not r["limit"]
|
||||
or r["limit"].startswith("filter")
|
||||
or eval(r["limit"], {"resource": resource}),
|
||||
rules,
|
||||
)
|
||||
)
|
||||
if (
|
||||
not is_same_org(data["auth"]["organization"], data["resource"]["organization"])
|
||||
and context != "sandbox"
|
||||
):
|
||||
return False
|
||||
|
||||
return bool(rules)
|
||||
|
||||
|
||||
def get_data(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
data = {
|
||||
"scope": scope,
|
||||
"auth": {
|
||||
"user": {"id": random.randrange(0, 100), "privilege": privilege},
|
||||
"organization": {
|
||||
"id": random.randrange(100, 200),
|
||||
"owner": {"id": random.randrange(200, 300)},
|
||||
"user": {"role": membership},
|
||||
}
|
||||
if context == "organization"
|
||||
else None,
|
||||
},
|
||||
"resource": resource,
|
||||
}
|
||||
|
||||
user_id = data["auth"]["user"]["id"]
|
||||
if context == "organization":
|
||||
org_id = data["auth"]["organization"]["id"]
|
||||
if data["auth"]["organization"]["user"]["role"] == "owner":
|
||||
data["auth"]["organization"]["owner"]["id"] = user_id
|
||||
|
||||
if same_org:
|
||||
data["resource"]["organization"]["id"] = org_id
|
||||
|
||||
if ownership == "owner":
|
||||
data["resource"]["owner"]["id"] = user_id
|
||||
elif ownership == "invitee":
|
||||
data["resource"]["invitee"]["id"] = user_id
|
||||
|
||||
if scope == "create":
|
||||
data["resource"]["invitee"]["id"] = None
|
||||
|
||||
return data
|
||||
|
||||
|
||||
def _get_name(prefix, **kwargs):
|
||||
name = prefix
|
||||
for k, v in kwargs.items():
|
||||
prefix = "_" + str(k)
|
||||
if isinstance(v, dict):
|
||||
if "id" not in v:
|
||||
name += _get_name(prefix, **v)
|
||||
else:
|
||||
name += f"{prefix}_{str(v).upper()}"
|
||||
|
||||
return name
|
||||
|
||||
|
||||
def get_name(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
return _get_name("test", **locals())
|
||||
|
||||
|
||||
def is_valid(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
if context == "sandbox" and membership:
|
||||
return False
|
||||
if scope == "list" and ownership != "None":
|
||||
return False
|
||||
if context == "sandbox" and same_org is False:
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def gen_test_rego(name):
|
||||
with open(f"{name}_test.gen.rego", "wt") as f:
|
||||
f.write(f"package {name}\n\n")
|
||||
for scope, context, ownership, privilege, membership, same_org in product(
|
||||
SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG
|
||||
):
|
||||
for resource in RESOURCES(scope):
|
||||
if not is_valid(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
):
|
||||
continue
|
||||
|
||||
data = get_data(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
)
|
||||
test_name = get_name(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
)
|
||||
result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
f.write(
|
||||
"{test_name} {{\n {allow} with input as {data}\n}}\n\n".format(
|
||||
test_name=test_name,
|
||||
allow="allow" if result else "not allow",
|
||||
data=json.dumps(data),
|
||||
)
|
||||
)
|
||||
|
||||
# Write the script which is used to generate the file
|
||||
with open(sys.argv[0]) as this_file:
|
||||
f.write(f"\n\n# {os.path.split(sys.argv[0])[1]}\n")
|
||||
for line in this_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
# Write rules which are used to generate the file
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as rego_file:
|
||||
f.write(f"\n\n# {name}.csv\n")
|
||||
for line in rego_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
|
||||
gen_test_rego(NAME)
|
||||
@ -0,0 +1,261 @@
|
||||
# Copyright (C) 2022 CVAT.ai Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
import csv
|
||||
import json
|
||||
import os
|
||||
import random
|
||||
import sys
|
||||
from itertools import product
|
||||
|
||||
NAME = "issues"
|
||||
|
||||
|
||||
def read_rules(name):
|
||||
rules = []
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as f:
|
||||
reader = csv.DictReader(f)
|
||||
for row in reader:
|
||||
row = {k.lower(): v.lower().replace("n/a", "na") for k, v in row.items()}
|
||||
row["limit"] = row["limit"].replace("none", "None")
|
||||
found = False
|
||||
for col, val in row.items():
|
||||
if col in ["limit", "method", "url", "resource"]:
|
||||
continue
|
||||
complex_val = [v.strip() for v in val.split(",")]
|
||||
if len(complex_val) > 1:
|
||||
found = True
|
||||
for item in complex_val:
|
||||
new_row = row.copy()
|
||||
new_row[col] = item
|
||||
rules.append(new_row)
|
||||
if not found:
|
||||
rules.append(row)
|
||||
|
||||
return rules
|
||||
|
||||
|
||||
simple_rules = read_rules(NAME)
|
||||
|
||||
SCOPES = list({rule["scope"] for rule in simple_rules})
|
||||
CONTEXTS = ["sandbox", "organization"]
|
||||
OWNERSHIPS = [
|
||||
"project:owner",
|
||||
"project:assignee",
|
||||
"task:owner",
|
||||
"task:assignee",
|
||||
"job:assignee",
|
||||
"owner",
|
||||
"assignee",
|
||||
"none",
|
||||
]
|
||||
GROUPS = ["admin", "business", "user", "worker", "none"]
|
||||
ORG_ROLES = ["owner", "maintainer", "supervisor", "worker", None]
|
||||
SAME_ORG = [True, False]
|
||||
HAS_PROJ = [True, False]
|
||||
|
||||
|
||||
def RESOURCES(scope):
|
||||
if scope == "list":
|
||||
return [None]
|
||||
else:
|
||||
return [
|
||||
{
|
||||
"id": random.randrange(300, 400),
|
||||
"owner": {"id": random.randrange(600, 700)},
|
||||
"assignee": {"id": random.randrange(500, 600)},
|
||||
"project": {
|
||||
"id": random.randrange(300, 400),
|
||||
"owner": {"id": random.randrange(700, 800)},
|
||||
"assignee": {"id": random.randrange(800, 900)},
|
||||
},
|
||||
"task": {
|
||||
"id": random.randrange(300, 400),
|
||||
"owner": {"id": random.randrange(900, 1000)},
|
||||
"assignee": {"id": random.randrange(1000, 1100)},
|
||||
},
|
||||
"job": {
|
||||
"id": random.randrange(300, 400),
|
||||
"assignee": {"id": random.randrange(1100, 1200)},
|
||||
},
|
||||
"organization": {"id": random.randrange(1200, 1300)},
|
||||
}
|
||||
]
|
||||
|
||||
|
||||
def is_same_org(org1, org2):
|
||||
if org1 is not None and org2 is not None:
|
||||
return org1["id"] == org2["id"]
|
||||
elif org1 is None and org2 is None:
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
|
||||
def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
if privilege == "admin":
|
||||
return True
|
||||
|
||||
rules = list(filter(lambda r: scope == r["scope"], simple_rules))
|
||||
rules = list(filter(lambda r: r["context"] == "na" or context == r["context"], rules))
|
||||
rules = list(filter(lambda r: r["ownership"] == "na" or ownership == r["ownership"], rules))
|
||||
rules = list(
|
||||
filter(
|
||||
lambda r: r["membership"] == "na"
|
||||
or ORG_ROLES.index(membership) <= ORG_ROLES.index(r["membership"]),
|
||||
rules,
|
||||
)
|
||||
)
|
||||
rules = list(filter(lambda r: GROUPS.index(privilege) <= GROUPS.index(r["privilege"]), rules))
|
||||
resource = data["resource"]
|
||||
rules = list(
|
||||
filter(lambda r: not r["limit"] or eval(r["limit"], {"resource": resource}), rules)
|
||||
)
|
||||
if (
|
||||
not is_same_org(data["auth"]["organization"], data["resource"]["organization"])
|
||||
and context != "sandbox"
|
||||
):
|
||||
return False
|
||||
|
||||
return bool(rules)
|
||||
|
||||
|
||||
def get_data(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
data = {
|
||||
"scope": scope,
|
||||
"auth": {
|
||||
"user": {"id": random.randrange(0, 100), "privilege": privilege},
|
||||
"organization": {
|
||||
"id": random.randrange(100, 200),
|
||||
"owner": {"id": random.randrange(200, 300)},
|
||||
"user": {"role": membership},
|
||||
}
|
||||
if context == "organization"
|
||||
else None,
|
||||
},
|
||||
"resource": resource,
|
||||
}
|
||||
|
||||
user_id = data["auth"]["user"]["id"]
|
||||
if context == "organization":
|
||||
org_id = data["auth"]["organization"]["id"]
|
||||
if data["auth"]["organization"]["user"]["role"] == "owner":
|
||||
data["auth"]["organization"]["owner"]["id"] = user_id
|
||||
|
||||
if same_org:
|
||||
data["resource"]["organization"]["id"] = org_id
|
||||
|
||||
if ownership == "owner":
|
||||
data["resource"]["owner"]["id"] = user_id
|
||||
|
||||
if ownership == "assignee":
|
||||
data["resource"]["assignee"]["id"] = user_id
|
||||
|
||||
if ownership == "project:owner":
|
||||
data["resource"]["project"]["owner"]["id"] = user_id
|
||||
|
||||
if ownership == "project:assignee":
|
||||
data["resource"]["project"]["assignee"]["id"] = user_id
|
||||
|
||||
if ownership == "task:owner":
|
||||
data["resource"]["task"]["owner"]["id"] = user_id
|
||||
|
||||
if ownership == "task:assignee":
|
||||
data["resource"]["task"]["assignee"]["id"] = user_id
|
||||
|
||||
if ownership == "job:assignee":
|
||||
data["resource"]["job"]["assignee"]["id"] = user_id
|
||||
|
||||
return data
|
||||
|
||||
|
||||
def _get_name(prefix, **kwargs):
|
||||
name = prefix
|
||||
for k, v in kwargs.items():
|
||||
if k == "resource":
|
||||
continue
|
||||
prefix = "_" + str(k)
|
||||
if isinstance(v, dict):
|
||||
if "id" in v:
|
||||
v = v.copy()
|
||||
v.pop("id")
|
||||
if v:
|
||||
name += _get_name(prefix, **v)
|
||||
else:
|
||||
name += "".join(
|
||||
map(
|
||||
lambda c: c if c.isalnum() else {"@": "_IN_"}.get(c, "_"),
|
||||
f"{prefix}_{str(v).upper()}",
|
||||
)
|
||||
)
|
||||
|
||||
return name
|
||||
|
||||
|
||||
def get_name(scope, context, ownership, privilege, membership, resource, same_org, has_proj):
|
||||
return _get_name("test", **locals())
|
||||
|
||||
|
||||
def is_valid(scope, context, ownership, privilege, membership, resource, same_org, has_proj):
|
||||
if context == "sandbox" and membership:
|
||||
return False
|
||||
if scope == "list" and ownership != "None":
|
||||
return False
|
||||
if context == "sandbox" and same_org is False:
|
||||
return False
|
||||
if not has_proj and ownership.startswith("project"):
|
||||
return False
|
||||
if scope == "create@job" and ownership in ["owner", "assignee"]:
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def gen_test_rego(name):
|
||||
with open(f"{name}_test.gen.rego", "wt") as f:
|
||||
f.write(f"package {name}\n\n")
|
||||
for scope, context, ownership, privilege, membership, same_org, has_proj in product(
|
||||
SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG, HAS_PROJ
|
||||
):
|
||||
for resource in RESOURCES(scope):
|
||||
if not is_valid(
|
||||
scope, context, ownership, privilege, membership, resource, same_org, has_proj
|
||||
):
|
||||
continue
|
||||
|
||||
data = get_data(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
)
|
||||
test_name = get_name(
|
||||
scope, context, ownership, privilege, membership, resource, same_org, has_proj
|
||||
)
|
||||
result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
f.write(
|
||||
"{test_name} {{\n {allow} with input as {data}\n}}\n\n".format(
|
||||
test_name=test_name,
|
||||
allow="allow" if result else "not allow",
|
||||
data=json.dumps(data),
|
||||
)
|
||||
)
|
||||
|
||||
# Write the script which is used to generate the file
|
||||
with open(sys.argv[0]) as this_file:
|
||||
f.write(f"\n\n# {os.path.split(sys.argv[0])[1]}\n")
|
||||
for line in this_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
# Write rules which are used to generate the file
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as rego_file:
|
||||
f.write(f"\n\n# {name}.csv\n")
|
||||
for line in rego_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
|
||||
gen_test_rego(NAME)
|
||||
@ -0,0 +1,245 @@
|
||||
# Copyright (C) 2022 CVAT.ai Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
import csv
|
||||
import json
|
||||
import os
|
||||
import random
|
||||
import sys
|
||||
from itertools import product
|
||||
|
||||
random.seed(42)
|
||||
|
||||
NAME = "jobs"
|
||||
|
||||
|
||||
def read_rules(name):
|
||||
rules = []
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as f:
|
||||
reader = csv.DictReader(f)
|
||||
for row in reader:
|
||||
row = {k.lower(): v.lower().replace("n/a", "na") for k, v in row.items()}
|
||||
row["limit"] = row["limit"].replace("none", "None")
|
||||
found = False
|
||||
for col, val in row.items():
|
||||
if col in ["limit", "method", "url", "resource"]:
|
||||
continue
|
||||
complex_val = [v.strip() for v in val.split(",")]
|
||||
if len(complex_val) > 1:
|
||||
found = True
|
||||
for item in complex_val:
|
||||
new_row = row.copy()
|
||||
new_row[col] = item
|
||||
rules.append(new_row)
|
||||
if not found:
|
||||
rules.append(row)
|
||||
|
||||
return rules
|
||||
|
||||
|
||||
simple_rules = read_rules(NAME)
|
||||
|
||||
SCOPES = list({rule["scope"] for rule in simple_rules})
|
||||
CONTEXTS = ["sandbox", "organization"]
|
||||
OWNERSHIPS = [
|
||||
"project:owner",
|
||||
"project:assignee",
|
||||
"task:owner",
|
||||
"task:assignee",
|
||||
"assignee",
|
||||
"none",
|
||||
]
|
||||
GROUPS = ["admin", "business", "user", "worker", "none"]
|
||||
ORG_ROLES = ["owner", "maintainer", "supervisor", "worker", None]
|
||||
SAME_ORG = [True, False]
|
||||
|
||||
|
||||
def RESOURCES(scope):
|
||||
if scope == "list":
|
||||
return [None]
|
||||
else:
|
||||
return [
|
||||
{
|
||||
"id": random.randrange(300, 400),
|
||||
"assignee": {"id": random.randrange(500, 600)},
|
||||
"organization": {"id": random.randrange(600, 700)},
|
||||
"project": {
|
||||
"id": random.randrange(300, 400),
|
||||
"owner": {"id": random.randrange(700, 800)},
|
||||
"assignee": {"id": random.randrange(800, 900)},
|
||||
},
|
||||
"task": {
|
||||
"id": random.randrange(300, 400),
|
||||
"owner": {"id": random.randrange(900, 1000)},
|
||||
"assignee": {"id": random.randrange(1000, 1100)},
|
||||
},
|
||||
}
|
||||
]
|
||||
|
||||
|
||||
def is_same_org(org1, org2):
|
||||
if org1 is not None and org2 is not None:
|
||||
return org1["id"] == org2["id"]
|
||||
elif org1 is None and org2 is None:
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
|
||||
def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
if privilege == "admin":
|
||||
return True
|
||||
|
||||
rules = list(filter(lambda r: scope == r["scope"], simple_rules))
|
||||
rules = list(filter(lambda r: r["context"] == "na" or context == r["context"], rules))
|
||||
rules = list(filter(lambda r: r["ownership"] == "na" or ownership == r["ownership"], rules))
|
||||
rules = list(
|
||||
filter(
|
||||
lambda r: r["membership"] == "na"
|
||||
or ORG_ROLES.index(membership) <= ORG_ROLES.index(r["membership"]),
|
||||
rules,
|
||||
)
|
||||
)
|
||||
rules = list(filter(lambda r: GROUPS.index(privilege) <= GROUPS.index(r["privilege"]), rules))
|
||||
resource = data["resource"]
|
||||
rules = list(
|
||||
filter(lambda r: not r["limit"] or eval(r["limit"], {"resource": resource}), rules)
|
||||
)
|
||||
if (
|
||||
not is_same_org(data["auth"]["organization"], data["resource"]["organization"])
|
||||
and context != "sandbox"
|
||||
):
|
||||
return False
|
||||
|
||||
return bool(rules)
|
||||
|
||||
|
||||
def get_data(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
data = {
|
||||
"scope": scope,
|
||||
"auth": {
|
||||
"user": {"id": random.randrange(0, 100), "privilege": privilege},
|
||||
"organization": {
|
||||
"id": random.randrange(100, 200),
|
||||
"owner": {"id": random.randrange(200, 300)},
|
||||
"user": {"role": membership},
|
||||
}
|
||||
if context == "organization"
|
||||
else None,
|
||||
},
|
||||
"resource": resource,
|
||||
}
|
||||
|
||||
user_id = data["auth"]["user"]["id"]
|
||||
if context == "organization":
|
||||
org_id = data["auth"]["organization"]["id"]
|
||||
if data["auth"]["organization"]["user"]["role"] == "owner":
|
||||
data["auth"]["organization"]["owner"]["id"] = user_id
|
||||
|
||||
if same_org:
|
||||
data["resource"]["organization"]["id"] = org_id
|
||||
|
||||
if ownership == "assignee":
|
||||
data["resource"]["assignee"]["id"] = user_id
|
||||
|
||||
if ownership == "project:owner":
|
||||
data["resource"]["project"]["owner"]["id"] = user_id
|
||||
|
||||
if ownership == "project:assignee":
|
||||
data["resource"]["project"]["assignee"]["id"] = user_id
|
||||
|
||||
if ownership == "task:owner":
|
||||
data["resource"]["task"]["owner"]["id"] = user_id
|
||||
|
||||
if ownership == "task:assignee":
|
||||
data["resource"]["task"]["assignee"]["id"] = user_id
|
||||
|
||||
return data
|
||||
|
||||
|
||||
def _get_name(prefix, **kwargs):
|
||||
name = prefix
|
||||
for k, v in kwargs.items():
|
||||
if k == "resource":
|
||||
continue
|
||||
prefix = "_" + str(k)
|
||||
if isinstance(v, dict):
|
||||
if "id" in v:
|
||||
v = v.copy()
|
||||
v.pop("id")
|
||||
if v:
|
||||
name += _get_name(prefix, **v)
|
||||
else:
|
||||
name += "".join(
|
||||
map(
|
||||
lambda c: c if c.isalnum() else {"@": "_IN_"}.get(c, "_"),
|
||||
f"{prefix}_{str(v).upper()}",
|
||||
)
|
||||
)
|
||||
|
||||
return name
|
||||
|
||||
|
||||
def get_name(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
return _get_name("test", **locals())
|
||||
|
||||
|
||||
def is_valid(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
if context == "sandbox" and membership:
|
||||
return False
|
||||
if scope == "list" and ownership != "None":
|
||||
return False
|
||||
if context == "sandbox" and same_org is False:
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def gen_test_rego(name):
|
||||
with open(f"{name}_test.gen.rego", "wt") as f:
|
||||
f.write(f"package {name}\n\n")
|
||||
for scope, context, ownership, privilege, membership, same_org in product(
|
||||
SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG
|
||||
):
|
||||
for resource in RESOURCES(scope):
|
||||
if not is_valid(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
):
|
||||
continue
|
||||
|
||||
data = get_data(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
)
|
||||
test_name = get_name(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
)
|
||||
result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
f.write(
|
||||
"{test_name} {{\n {allow} with input as {data}\n}}\n\n".format(
|
||||
test_name=test_name,
|
||||
allow="allow" if result else "not allow",
|
||||
data=json.dumps(data),
|
||||
)
|
||||
)
|
||||
|
||||
# Write the script which is used to generate the file
|
||||
with open(sys.argv[0]) as this_file:
|
||||
f.write(f"\n\n# {os.path.split(sys.argv[0])[1]}\n")
|
||||
for line in this_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
# Write rules which are used to generate the file
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as rego_file:
|
||||
f.write(f"\n\n# {name}.csv\n")
|
||||
for line in rego_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
|
||||
gen_test_rego(NAME)
|
||||
@ -0,0 +1,175 @@
|
||||
# Copyright (C) 2022 CVAT.ai Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
import csv
|
||||
import json
|
||||
import os
|
||||
import random
|
||||
import sys
|
||||
from itertools import product
|
||||
|
||||
NAME = "lambda"
|
||||
|
||||
|
||||
def read_rules(name):
|
||||
rules = []
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as f:
|
||||
reader = csv.DictReader(f)
|
||||
for row in reader:
|
||||
row = {k.lower(): v.lower().replace("n/a", "na") for k, v in row.items()}
|
||||
row["limit"] = row["limit"].replace("none", "None")
|
||||
found = False
|
||||
for col, val in row.items():
|
||||
if col in ["limit", "method", "url", "resource"]:
|
||||
continue
|
||||
complex_val = [v.strip() for v in val.split(",")]
|
||||
if len(complex_val) > 1:
|
||||
found = True
|
||||
for item in complex_val:
|
||||
new_row = row.copy()
|
||||
new_row[col] = item
|
||||
rules.append(new_row)
|
||||
if not found:
|
||||
rules.append(row)
|
||||
|
||||
return rules
|
||||
|
||||
|
||||
simple_rules = read_rules(NAME)
|
||||
|
||||
SCOPES = list({rule["scope"] for rule in simple_rules})
|
||||
CONTEXTS = ["sandbox", "organization"]
|
||||
OWNERSHIPS = ["none"]
|
||||
GROUPS = ["admin", "business", "user", "worker", "none"]
|
||||
ORG_ROLES = ["owner", "maintainer", "supervisor", "worker", None]
|
||||
|
||||
|
||||
def RESOURCES(scope):
|
||||
return [None]
|
||||
|
||||
|
||||
def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
if privilege == "admin":
|
||||
return True
|
||||
|
||||
rules = list(filter(lambda r: scope == r["scope"], simple_rules))
|
||||
rules = list(filter(lambda r: r["context"] == "na" or context == r["context"], rules))
|
||||
rules = list(filter(lambda r: r["ownership"] == "na" or ownership == r["ownership"], rules))
|
||||
rules = list(
|
||||
filter(
|
||||
lambda r: r["membership"] == "na"
|
||||
or ORG_ROLES.index(membership) <= ORG_ROLES.index(r["membership"]),
|
||||
rules,
|
||||
)
|
||||
)
|
||||
rules = list(filter(lambda r: GROUPS.index(privilege) <= GROUPS.index(r["privilege"]), rules))
|
||||
resource = data["resource"]
|
||||
rules = list(
|
||||
filter(lambda r: not r["limit"] or eval(r["limit"], {"resource": resource}), rules)
|
||||
)
|
||||
|
||||
return bool(rules)
|
||||
|
||||
|
||||
def get_data(scope, context, ownership, privilege, membership, resource):
|
||||
data = {
|
||||
"scope": scope,
|
||||
"auth": {
|
||||
"user": {"id": random.randrange(0, 100), "privilege": privilege},
|
||||
"organization": {
|
||||
"id": random.randrange(100, 200),
|
||||
"owner": {"id": random.randrange(200, 300)},
|
||||
"user": {"role": membership},
|
||||
}
|
||||
if context == "organization"
|
||||
else None,
|
||||
},
|
||||
"resource": resource,
|
||||
}
|
||||
|
||||
user_id = data["auth"]["user"]["id"]
|
||||
if context == "organization":
|
||||
if data["auth"]["organization"]["user"]["role"] == "owner":
|
||||
data["auth"]["organization"]["owner"]["id"] = user_id
|
||||
|
||||
return data
|
||||
|
||||
|
||||
def _get_name(prefix, **kwargs):
|
||||
name = prefix
|
||||
for k, v in kwargs.items():
|
||||
if k == "resource":
|
||||
continue
|
||||
prefix = "_" + str(k)
|
||||
if isinstance(v, dict):
|
||||
if "id" in v:
|
||||
v = v.copy()
|
||||
v.pop("id")
|
||||
if v:
|
||||
name += _get_name(prefix, **v)
|
||||
else:
|
||||
name += "".join(
|
||||
map(
|
||||
lambda c: c if c.isalnum() else {"@": "_IN_"}.get(c, "_"),
|
||||
f"{prefix}_{str(v).upper()}",
|
||||
)
|
||||
)
|
||||
|
||||
return name
|
||||
|
||||
|
||||
def get_name(scope, context, ownership, privilege, membership, resource):
|
||||
return _get_name("test", **locals())
|
||||
|
||||
|
||||
def is_valid(scope, context, ownership, privilege, membership, resource):
|
||||
if context == "sandbox" and membership:
|
||||
return False
|
||||
if scope == "list" and ownership != "None":
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def gen_test_rego(name):
|
||||
with open(f"{name}_test.gen.rego", "wt") as f:
|
||||
f.write(f"package {name}\n\n")
|
||||
for scope, context, ownership, privilege, membership in product(
|
||||
SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES
|
||||
):
|
||||
for resource in RESOURCES(scope):
|
||||
if not is_valid(scope, context, ownership, privilege, membership, resource):
|
||||
continue
|
||||
|
||||
data = get_data(scope, context, ownership, privilege, membership, resource)
|
||||
test_name = get_name(scope, context, ownership, privilege, membership, resource)
|
||||
result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
f.write(
|
||||
"{test_name} {{\n {allow} with input as {data}\n}}\n\n".format(
|
||||
test_name=test_name,
|
||||
allow="allow" if result else "not allow",
|
||||
data=json.dumps(data),
|
||||
)
|
||||
)
|
||||
|
||||
# Write the script which is used to generate the file
|
||||
with open(sys.argv[0]) as this_file:
|
||||
f.write(f"\n\n# {os.path.split(sys.argv[0])[1]}\n")
|
||||
for line in this_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
# Write rules which are used to generate the file
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as rego_file:
|
||||
f.write(f"\n\n# {name}.csv\n")
|
||||
for line in rego_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
|
||||
gen_test_rego(NAME)
|
||||
@ -0,0 +1,211 @@
|
||||
# Copyright (C) 2022 CVAT.ai Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
import csv
|
||||
import json
|
||||
import os
|
||||
import random
|
||||
import sys
|
||||
from itertools import product
|
||||
|
||||
NAME = "memberships"
|
||||
|
||||
|
||||
def read_rules(name):
|
||||
rules = []
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as f:
|
||||
reader = csv.DictReader(f)
|
||||
for row in reader:
|
||||
row = {k.lower(): v.lower().replace("n/a", "na") for k, v in row.items()}
|
||||
row["limit"] = row["limit"].replace("none", "None")
|
||||
found = False
|
||||
for col, val in row.items():
|
||||
if col in ["limit", "method", "url"]:
|
||||
continue
|
||||
complex_val = [v.strip() for v in val.split(",")]
|
||||
if len(complex_val) > 1:
|
||||
found = True
|
||||
for item in complex_val:
|
||||
new_row = row.copy()
|
||||
new_row[col] = item
|
||||
rules.append(new_row)
|
||||
if not found:
|
||||
rules.append(row)
|
||||
|
||||
return rules
|
||||
|
||||
|
||||
simple_rules = read_rules(NAME)
|
||||
|
||||
SCOPES = {rule["scope"] for rule in simple_rules}
|
||||
CONTEXTS = ["sandbox", "organization"]
|
||||
OWNERSHIPS = ["self", "none"]
|
||||
GROUPS = ["admin", "business", "user", "worker", "none"]
|
||||
ORG_ROLES = ["owner", "maintainer", "supervisor", "worker", None]
|
||||
SAME_ORG = [False, True]
|
||||
|
||||
|
||||
def RESOURCES(scope):
|
||||
if scope == "list":
|
||||
return [None]
|
||||
else:
|
||||
return [
|
||||
{
|
||||
"user": {"id": random.randrange(300, 400)},
|
||||
"is_active": active,
|
||||
"role": role,
|
||||
"organization": {"id": random.randrange(500, 600)},
|
||||
}
|
||||
for role in ORG_ROLES
|
||||
if role is not None
|
||||
for active in [False, True]
|
||||
]
|
||||
|
||||
|
||||
def is_same_org(org1, org2):
|
||||
if org1 is not None and org2 is not None:
|
||||
return org1["id"] == org2["id"]
|
||||
elif org1 is None and org2 is None:
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
|
||||
def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
if privilege == "admin":
|
||||
return True
|
||||
|
||||
rules = list(filter(lambda r: scope == r["scope"], simple_rules))
|
||||
rules = list(filter(lambda r: r["context"] == "na" or context == r["context"], rules))
|
||||
rules = list(filter(lambda r: r["ownership"] == "na" or ownership == r["ownership"], rules))
|
||||
rules = list(
|
||||
filter(
|
||||
lambda r: r["membership"] == "na"
|
||||
or ORG_ROLES.index(membership) <= ORG_ROLES.index(r["membership"]),
|
||||
rules,
|
||||
)
|
||||
)
|
||||
rules = list(filter(lambda r: GROUPS.index(privilege) <= GROUPS.index(r["privilege"]), rules))
|
||||
resource = data["resource"]
|
||||
rules = list(
|
||||
filter(lambda r: not r["limit"] or eval(r["limit"], {"resource": resource}), rules)
|
||||
)
|
||||
if (
|
||||
not is_same_org(data["auth"]["organization"], data["resource"]["organization"])
|
||||
and context != "sandbox"
|
||||
):
|
||||
return False
|
||||
|
||||
if scope != "create" and not data["resource"]["is_active"]:
|
||||
return False
|
||||
|
||||
return bool(rules)
|
||||
|
||||
|
||||
def get_data(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
data = {
|
||||
"scope": scope,
|
||||
"auth": {
|
||||
"user": {"id": random.randrange(0, 100), "privilege": privilege},
|
||||
"organization": {
|
||||
"id": random.randrange(100, 200),
|
||||
"owner": {"id": random.randrange(200, 300)},
|
||||
"user": {"role": membership},
|
||||
}
|
||||
if context == "organization"
|
||||
else None,
|
||||
},
|
||||
"resource": resource,
|
||||
}
|
||||
|
||||
user_id = data["auth"]["user"]["id"]
|
||||
if context == "organization":
|
||||
org_id = data["auth"]["organization"]["id"]
|
||||
if data["auth"]["organization"]["user"]["role"] == "owner":
|
||||
data["auth"]["organization"]["owner"]["id"] = user_id
|
||||
|
||||
if same_org:
|
||||
data["resource"]["organization"]["id"] = org_id
|
||||
|
||||
if ownership == "self":
|
||||
data["resource"]["user"]["id"] = user_id
|
||||
|
||||
return data
|
||||
|
||||
|
||||
def _get_name(prefix, **kwargs):
|
||||
name = prefix
|
||||
for k, v in kwargs.items():
|
||||
prefix = "_" + str(k)
|
||||
if isinstance(v, dict):
|
||||
if "id" not in v:
|
||||
name += _get_name(prefix, **v)
|
||||
else:
|
||||
name += f'{prefix}_{str(v).upper().replace(":", "_")}'
|
||||
|
||||
return name
|
||||
|
||||
|
||||
def get_name(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
return _get_name("test", **locals())
|
||||
|
||||
|
||||
def is_valid(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
if context == "sandbox" and membership:
|
||||
return False
|
||||
if scope == "list" and ownership != "None":
|
||||
return False
|
||||
if context == "sandbox" and same_org is False:
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def gen_test_rego(name):
|
||||
with open(f"{name}_test.gen.rego", "wt") as f:
|
||||
f.write(f"package {name}\n\n")
|
||||
for scope, context, ownership, privilege, membership, same_org in product(
|
||||
SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG
|
||||
):
|
||||
for resource in RESOURCES(scope):
|
||||
if not is_valid(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
):
|
||||
continue
|
||||
|
||||
data = get_data(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
)
|
||||
test_name = get_name(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
)
|
||||
result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
f.write(
|
||||
"{test_name} {{\n {allow} with input as {data}\n}}\n\n".format(
|
||||
test_name=test_name,
|
||||
allow="allow" if result else "not allow",
|
||||
data=json.dumps(data),
|
||||
)
|
||||
)
|
||||
|
||||
# Write the script which is used to generate the file
|
||||
with open(sys.argv[0]) as this_file:
|
||||
f.write(f"\n\n# {os.path.split(sys.argv[0])[1]}\n")
|
||||
for line in this_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
# Write rules which are used to generate the file
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as rego_file:
|
||||
f.write(f"\n\n# {name}.csv\n")
|
||||
for line in rego_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
|
||||
gen_test_rego(NAME)
|
||||
@ -0,0 +1,168 @@
|
||||
# Copyright (C) 2022 CVAT.ai Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
import csv
|
||||
import json
|
||||
import os
|
||||
import random
|
||||
import sys
|
||||
from itertools import product
|
||||
|
||||
NAME = "organizations"
|
||||
|
||||
|
||||
def read_rules(name):
|
||||
rules = []
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as f:
|
||||
reader = csv.DictReader(f)
|
||||
for row in reader:
|
||||
row = {k.lower(): v.lower().replace("n/a", "na") for k, v in row.items()}
|
||||
row["limit"] = row["limit"].replace("none", "None")
|
||||
found = False
|
||||
for col, val in row.items():
|
||||
if col in ["limit", "method", "url"]:
|
||||
continue
|
||||
complex_val = [v.strip() for v in val.split(",")]
|
||||
if len(complex_val) > 1:
|
||||
found = True
|
||||
for item in complex_val:
|
||||
new_row = row.copy()
|
||||
new_row[col] = item
|
||||
rules.append(new_row)
|
||||
if not found:
|
||||
rules.append(row)
|
||||
|
||||
return rules
|
||||
|
||||
|
||||
simple_rules = read_rules(NAME)
|
||||
|
||||
SCOPES = {rule["scope"] for rule in simple_rules}
|
||||
CONTEXTS = ["sandbox", "organization"]
|
||||
OWNERSHIPS = ["owner", "maintainer", "supervisor", "worker", "none"]
|
||||
GROUPS = ["admin", "business", "user", "worker", "none"]
|
||||
ORG_ROLES = ["owner", "maintainer", "supervisor", "worker", None]
|
||||
|
||||
|
||||
def RESOURCES(ownership):
|
||||
return [
|
||||
{"user": {"num_resources": n, "role": ownership if ownership != "none" else None}}
|
||||
for n in (0, 1, 10)
|
||||
] + [None]
|
||||
|
||||
|
||||
def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
if privilege == "admin":
|
||||
return True
|
||||
rules = list(filter(lambda r: scope == r["scope"], simple_rules))
|
||||
rules = list(filter(lambda r: r["context"] == "na" or context == r["context"], rules))
|
||||
rules = list(filter(lambda r: r["ownership"] == "na" or ownership == r["ownership"], rules))
|
||||
rules = list(filter(lambda r: r["membership"] == "na" or membership == r["membership"], rules))
|
||||
rules = list(filter(lambda r: GROUPS.index(privilege) <= GROUPS.index(r["privilege"]), rules))
|
||||
resource = data["resource"]
|
||||
rules = list(
|
||||
filter(
|
||||
lambda r: not r["limit"]
|
||||
or r["limit"].startswith("filter")
|
||||
or eval(r["limit"], {"resource": resource}),
|
||||
rules,
|
||||
)
|
||||
)
|
||||
|
||||
return bool(rules)
|
||||
|
||||
|
||||
def get_data(scope, context, ownership, privilege, membership, resource):
|
||||
data = {
|
||||
"scope": scope,
|
||||
"auth": {
|
||||
"user": {"id": random.randrange(0, 100), "privilege": privilege},
|
||||
"organization": {
|
||||
"id": random.randrange(100, 200),
|
||||
"owner": {"id": random.randrange(200, 300)},
|
||||
"user": {"role": membership},
|
||||
}
|
||||
if context == "organization"
|
||||
else None,
|
||||
},
|
||||
"resource": {**resource, "owner": {"id": random.randrange(300, 400)}} if resource else None,
|
||||
}
|
||||
|
||||
user_id = data["auth"]["user"]["id"]
|
||||
if ownership == "owner":
|
||||
data["resource"]["owner"]["id"] = user_id
|
||||
|
||||
return data
|
||||
|
||||
|
||||
def _get_name(prefix, **kwargs):
|
||||
name = prefix
|
||||
for k, v in kwargs.items():
|
||||
name += "_" + str(k)
|
||||
if isinstance(v, dict):
|
||||
name += _get_name("", **v)
|
||||
else:
|
||||
name += f"_{str(v).upper()}"
|
||||
|
||||
return name
|
||||
|
||||
|
||||
def get_name(scope, context, ownership, privilege, membership, resource):
|
||||
return _get_name("test", **locals())
|
||||
|
||||
|
||||
def is_valid(scope, context, ownership, privilege, membership, resource):
|
||||
if context == "sandbox" and membership:
|
||||
return False
|
||||
if scope == "list" and resource is not None:
|
||||
return False
|
||||
if resource is None and scope != "list":
|
||||
return False
|
||||
if scope == "list" and ownership != "None":
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def gen_test_rego(name):
|
||||
with open(f"{name}_test.gen.rego", "wt") as f:
|
||||
f.write(f"package {name}\n\n")
|
||||
for scope, context, ownership, privilege, membership in product(
|
||||
SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES
|
||||
):
|
||||
for resource in RESOURCES(ownership):
|
||||
if not is_valid(scope, context, ownership, privilege, membership, resource):
|
||||
continue
|
||||
|
||||
test_name = get_name(scope, context, ownership, privilege, membership, resource)
|
||||
data = get_data(scope, context, ownership, privilege, membership, resource)
|
||||
result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
f.write(
|
||||
"{test_name} {{\n {allow} with input as {data}\n}}\n\n".format(
|
||||
test_name=test_name,
|
||||
allow="allow" if result else "not allow",
|
||||
data=json.dumps(data),
|
||||
)
|
||||
)
|
||||
|
||||
# Write the script which is used to generate the file
|
||||
with open(sys.argv[0]) as this_file:
|
||||
f.write(f"\n\n# {os.path.split(sys.argv[0])[1]}\n")
|
||||
for line in this_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
# Write rules which are used to generate the file
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as rego_file:
|
||||
f.write(f"\n\n# {name}.csv\n")
|
||||
for line in rego_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
|
||||
gen_test_rego(NAME)
|
||||
@ -0,0 +1,221 @@
|
||||
# Copyright (C) 2022 CVAT.ai Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
import csv
|
||||
import json
|
||||
import os
|
||||
import random
|
||||
import sys
|
||||
from itertools import product
|
||||
|
||||
NAME = "projects"
|
||||
|
||||
|
||||
def read_rules(name):
|
||||
rules = []
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as f:
|
||||
reader = csv.DictReader(f)
|
||||
for row in reader:
|
||||
row = {k.lower(): v.lower().replace("n/a", "na") for k, v in row.items()}
|
||||
row["limit"] = row["limit"].replace("none", "None")
|
||||
found = False
|
||||
for col, val in row.items():
|
||||
if col in ["limit", "method", "url"]:
|
||||
continue
|
||||
complex_val = [v.strip() for v in val.split(",")]
|
||||
if len(complex_val) > 1:
|
||||
found = True
|
||||
for item in complex_val:
|
||||
new_row = row.copy()
|
||||
new_row[col] = item
|
||||
rules.append(new_row)
|
||||
if not found:
|
||||
rules.append(row)
|
||||
|
||||
return rules
|
||||
|
||||
|
||||
simple_rules = read_rules(NAME)
|
||||
|
||||
SCOPES = {rule["scope"] for rule in simple_rules}
|
||||
CONTEXTS = ["sandbox", "organization"]
|
||||
OWNERSHIPS = ["owner", "assignee", "none"]
|
||||
GROUPS = ["admin", "business", "user", "worker", "none"]
|
||||
ORG_ROLES = ["owner", "maintainer", "supervisor", "worker", None]
|
||||
SAME_ORG = [False, True]
|
||||
|
||||
|
||||
def RESOURCES(scope):
|
||||
if scope == "list":
|
||||
return [None]
|
||||
elif scope in ["create", "import:backup"]:
|
||||
return [
|
||||
{
|
||||
"owner": {"id": random.randrange(400, 500)},
|
||||
"assignee": {"id": random.randrange(500, 600)},
|
||||
"organization": {"id": random.randrange(600, 700)},
|
||||
"user": {"num_resources": count},
|
||||
}
|
||||
for count in (0, 1, 3, 10)
|
||||
]
|
||||
else:
|
||||
return [
|
||||
{
|
||||
"id": random.randrange(300, 400),
|
||||
"owner": {"id": random.randrange(400, 500)},
|
||||
"assignee": {"id": random.randrange(500, 600)},
|
||||
"organization": {"id": random.randrange(600, 700)},
|
||||
}
|
||||
]
|
||||
|
||||
|
||||
def is_same_org(org1, org2):
|
||||
if org1 is not None and org2 is not None:
|
||||
return org1["id"] == org2["id"]
|
||||
elif org1 is None and org2 is None:
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
|
||||
def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
if privilege == "admin":
|
||||
return True
|
||||
|
||||
rules = list(filter(lambda r: scope == r["scope"], simple_rules))
|
||||
rules = list(filter(lambda r: r["context"] == "na" or context == r["context"], rules))
|
||||
rules = list(filter(lambda r: r["ownership"] == "na" or ownership == r["ownership"], rules))
|
||||
rules = list(
|
||||
filter(
|
||||
lambda r: r["membership"] == "na"
|
||||
or ORG_ROLES.index(membership) <= ORG_ROLES.index(r["membership"]),
|
||||
rules,
|
||||
)
|
||||
)
|
||||
rules = list(filter(lambda r: GROUPS.index(privilege) <= GROUPS.index(r["privilege"]), rules))
|
||||
resource = data["resource"]
|
||||
rules = list(
|
||||
filter(lambda r: not r["limit"] or eval(r["limit"], {"resource": resource}), rules)
|
||||
)
|
||||
if (
|
||||
not is_same_org(data["auth"]["organization"], data["resource"]["organization"])
|
||||
and context != "sandbox"
|
||||
):
|
||||
return False
|
||||
|
||||
return bool(rules)
|
||||
|
||||
|
||||
def get_data(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
data = {
|
||||
"scope": scope,
|
||||
"auth": {
|
||||
"user": {"id": random.randrange(0, 100), "privilege": privilege},
|
||||
"organization": {
|
||||
"id": random.randrange(100, 200),
|
||||
"owner": {"id": random.randrange(200, 300)},
|
||||
"user": {"role": membership},
|
||||
}
|
||||
if context == "organization"
|
||||
else None,
|
||||
},
|
||||
"resource": resource,
|
||||
}
|
||||
|
||||
user_id = data["auth"]["user"]["id"]
|
||||
if context == "organization":
|
||||
org_id = data["auth"]["organization"]["id"]
|
||||
if data["auth"]["organization"]["user"]["role"] == "owner":
|
||||
data["auth"]["organization"]["owner"]["id"] = user_id
|
||||
|
||||
if same_org:
|
||||
data["resource"]["organization"]["id"] = org_id
|
||||
|
||||
if ownership == "owner":
|
||||
data["resource"]["owner"]["id"] = user_id
|
||||
|
||||
if ownership == "assignee":
|
||||
data["resource"]["assignee"]["id"] = user_id
|
||||
|
||||
return data
|
||||
|
||||
|
||||
def _get_name(prefix, **kwargs):
|
||||
name = prefix
|
||||
for k, v in kwargs.items():
|
||||
prefix = "_" + str(k)
|
||||
if isinstance(v, dict):
|
||||
if "id" in v:
|
||||
v = v.copy()
|
||||
v.pop("id")
|
||||
if v:
|
||||
name += _get_name(prefix, **v)
|
||||
else:
|
||||
name += f'{prefix}_{str(v).upper().replace(":", "_")}'
|
||||
|
||||
return name
|
||||
|
||||
|
||||
def get_name(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
return _get_name("test", **locals())
|
||||
|
||||
|
||||
def is_valid(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
if context == "sandbox" and membership:
|
||||
return False
|
||||
if scope == "list" and ownership != "None":
|
||||
return False
|
||||
if context == "sandbox" and same_org is False:
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def gen_test_rego(name):
|
||||
with open(f"{name}_test.gen.rego", "wt") as f:
|
||||
f.write(f"package {name}\n\n")
|
||||
for scope, context, ownership, privilege, membership, same_org in product(
|
||||
SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG
|
||||
):
|
||||
for resource in RESOURCES(scope):
|
||||
if not is_valid(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
):
|
||||
continue
|
||||
|
||||
data = get_data(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
)
|
||||
test_name = get_name(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
)
|
||||
result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
f.write(
|
||||
"{test_name} {{\n {allow} with input as {data}\n}}\n\n".format(
|
||||
test_name=test_name,
|
||||
allow="allow" if result else "not allow",
|
||||
data=json.dumps(data),
|
||||
)
|
||||
)
|
||||
|
||||
# Write the script which is used to generate the file
|
||||
with open(sys.argv[0]) as this_file:
|
||||
f.write(f"\n\n# {os.path.split(sys.argv[0])[1]}\n")
|
||||
for line in this_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
# Write rules which are used to generate the file
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as csv_file:
|
||||
f.write(f"\n\n# {name}.csv\n")
|
||||
for line in csv_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
|
||||
gen_test_rego(NAME)
|
||||
@ -0,0 +1,161 @@
|
||||
# Copyright (C) 2022 CVAT.ai Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
import csv
|
||||
import json
|
||||
import os
|
||||
import random
|
||||
import sys
|
||||
from itertools import product
|
||||
|
||||
NAME = "server"
|
||||
|
||||
|
||||
def read_rules(name):
|
||||
rules = []
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as f:
|
||||
reader = csv.DictReader(f)
|
||||
for row in reader:
|
||||
row = {k.lower(): v.lower().replace("n/a", "na") for k, v in row.items()}
|
||||
row["limit"] = row["limit"].replace("none", "None")
|
||||
found = False
|
||||
for col, val in row.items():
|
||||
if col in ["limit", "method", "url"]:
|
||||
continue
|
||||
complex_val = [v.strip() for v in val.split(",")]
|
||||
if len(complex_val) > 1:
|
||||
found = True
|
||||
for item in complex_val:
|
||||
new_row = row.copy()
|
||||
new_row[col] = item
|
||||
rules.append(new_row)
|
||||
if not found:
|
||||
rules.append(row)
|
||||
|
||||
return rules
|
||||
|
||||
|
||||
simple_rules = read_rules(NAME)
|
||||
|
||||
SCOPES = {rule["scope"] for rule in simple_rules}
|
||||
CONTEXTS = ["sandbox", "organization"]
|
||||
OWNERSHIPS = ["none"]
|
||||
GROUPS = ["admin", "business", "user", "worker", "none"]
|
||||
ORG_ROLES = ["owner", "maintainer", "supervisor", "worker", None]
|
||||
|
||||
|
||||
def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
if privilege == "admin":
|
||||
return True
|
||||
|
||||
rules = list(filter(lambda r: scope == r["scope"], simple_rules))
|
||||
rules = list(filter(lambda r: r["context"] == "na" or context == r["context"], rules))
|
||||
rules = list(filter(lambda r: r["ownership"] == "na" or ownership == r["ownership"], rules))
|
||||
rules = list(
|
||||
filter(
|
||||
lambda r: r["membership"] == "na"
|
||||
or ORG_ROLES.index(membership) <= ORG_ROLES.index(r["membership"]),
|
||||
rules,
|
||||
)
|
||||
)
|
||||
rules = list(filter(lambda r: GROUPS.index(privilege) <= GROUPS.index(r["privilege"]), rules))
|
||||
rules = list(filter(lambda r: not r["limit"] or eval(r["limit"]), rules))
|
||||
|
||||
return bool(rules)
|
||||
|
||||
|
||||
def get_data(scope, context, ownership, privilege, membership):
|
||||
data = {
|
||||
"scope": scope,
|
||||
"auth": {
|
||||
"user": {"id": random.randrange(0, 100), "privilege": privilege},
|
||||
"organization": {
|
||||
"id": random.randrange(100, 200),
|
||||
"owner": {"id": random.randrange(200, 300)},
|
||||
"user": {"role": membership},
|
||||
}
|
||||
if context == "organization"
|
||||
else None,
|
||||
},
|
||||
}
|
||||
|
||||
user_id = data["auth"]["user"]["id"]
|
||||
if context == "organization":
|
||||
if data["auth"]["organization"]["user"]["role"] == "owner":
|
||||
data["auth"]["organization"]["owner"]["id"] = user_id
|
||||
|
||||
return data
|
||||
|
||||
|
||||
def _get_name(prefix, **kwargs):
|
||||
name = prefix
|
||||
for k, v in kwargs.items():
|
||||
prefix = "_" + str(k)
|
||||
if isinstance(v, dict):
|
||||
if "id" in v:
|
||||
v = v.copy()
|
||||
v.pop("id")
|
||||
if v:
|
||||
name += _get_name(prefix, **v)
|
||||
else:
|
||||
name += f'{prefix}_{str(v).upper().replace(":", "_")}'
|
||||
|
||||
return name
|
||||
|
||||
|
||||
def get_name(scope, context, ownership, privilege, membership):
|
||||
return _get_name("test", **locals())
|
||||
|
||||
|
||||
def is_valid(scope, context, ownership, privilege, membership):
|
||||
if context == "sandbox" and membership:
|
||||
return False
|
||||
if scope == "list" and ownership != "None":
|
||||
return False
|
||||
if context == "organization" and membership is None:
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def gen_test_rego(name):
|
||||
with open(f"{name}_test.gen.rego", "wt") as f:
|
||||
f.write(f"package {name}\n\n")
|
||||
for scope, context, ownership, privilege, membership in product(
|
||||
SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES
|
||||
):
|
||||
if not is_valid(scope, context, ownership, privilege, membership):
|
||||
continue
|
||||
|
||||
data = get_data(scope, context, ownership, privilege, membership)
|
||||
test_name = get_name(scope, context, ownership, privilege, membership)
|
||||
result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
f.write(
|
||||
"{test_name} {{\n {allow} with input as {data}\n}}\n\n".format(
|
||||
test_name=test_name,
|
||||
allow="allow" if result else "not allow",
|
||||
data=json.dumps(data),
|
||||
)
|
||||
)
|
||||
|
||||
# Write the script which is used to generate the file
|
||||
with open(sys.argv[0]) as this_file:
|
||||
f.write(f"\n\n# {os.path.split(sys.argv[0])[1]}\n")
|
||||
for line in this_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
# Write rules which are used to generate the file
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as rego_file:
|
||||
f.write(f"\n\n# {name}.csv\n")
|
||||
for line in rego_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
|
||||
gen_test_rego(NAME)
|
||||
@ -0,0 +1,248 @@
|
||||
# Copyright (C) 2022 CVAT.ai Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
import csv
|
||||
import json
|
||||
import os
|
||||
import random
|
||||
import sys
|
||||
from itertools import product
|
||||
|
||||
random.seed(42)
|
||||
|
||||
NAME = "tasks"
|
||||
|
||||
|
||||
def read_rules(name):
|
||||
rules = []
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as f:
|
||||
reader = csv.DictReader(f)
|
||||
for row in reader:
|
||||
row = {k.lower(): v.lower().replace("n/a", "na") for k, v in row.items()}
|
||||
row["limit"] = row["limit"].replace("none", "None")
|
||||
found = False
|
||||
for col, val in row.items():
|
||||
if col in ["limit", "method", "url", "resource"]:
|
||||
continue
|
||||
complex_val = [v.strip() for v in val.split(",")]
|
||||
if len(complex_val) > 1:
|
||||
found = True
|
||||
for item in complex_val:
|
||||
new_row = row.copy()
|
||||
new_row[col] = item
|
||||
rules.append(new_row)
|
||||
if not found:
|
||||
rules.append(row)
|
||||
|
||||
return rules
|
||||
|
||||
|
||||
simple_rules = read_rules(NAME)
|
||||
|
||||
SCOPES = list({rule["scope"] for rule in simple_rules})
|
||||
CONTEXTS = ["sandbox", "organization"]
|
||||
OWNERSHIPS = ["project:owner", "project:assignee", "owner", "assignee", "none"]
|
||||
GROUPS = ["admin", "business", "user", "worker", "none"]
|
||||
ORG_ROLES = ["owner", "maintainer", "supervisor", "worker", None]
|
||||
SAME_ORG = [True, False]
|
||||
|
||||
|
||||
def RESOURCES(scope):
|
||||
if scope == "list":
|
||||
return [None]
|
||||
elif scope.startswith("create") or scope == "import:backup":
|
||||
return [
|
||||
{
|
||||
"owner": {"id": random.randrange(400, 500)},
|
||||
"assignee": {"id": random.randrange(500, 600)},
|
||||
"organization": {"id": random.randrange(600, 700)},
|
||||
"project": {
|
||||
"owner": {"id": random.randrange(700, 800)},
|
||||
"assignee": {"id": random.randrange(800, 900)},
|
||||
"organization": {"id": random.randrange(900, 1000)},
|
||||
},
|
||||
"user": {"num_resources": count},
|
||||
}
|
||||
for count in (0, 3, 10)
|
||||
]
|
||||
else:
|
||||
return [
|
||||
{
|
||||
"id": random.randrange(300, 400),
|
||||
"owner": {"id": random.randrange(400, 500)},
|
||||
"assignee": {"id": random.randrange(500, 600)},
|
||||
"organization": {"id": random.randrange(600, 700)},
|
||||
"project": {
|
||||
"owner": {"id": random.randrange(700, 800)},
|
||||
"assignee": {"id": random.randrange(800, 900)},
|
||||
"organization": {"id": random.randrange(900, 1000)},
|
||||
},
|
||||
}
|
||||
]
|
||||
|
||||
|
||||
def is_same_org(org1, org2):
|
||||
if org1 is not None and org2 is not None:
|
||||
return org1["id"] == org2["id"]
|
||||
elif org1 is None and org2 is None:
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
|
||||
def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
if privilege == "admin":
|
||||
return True
|
||||
|
||||
rules = list(filter(lambda r: scope == r["scope"], simple_rules))
|
||||
rules = list(filter(lambda r: r["context"] == "na" or context == r["context"], rules))
|
||||
rules = list(filter(lambda r: r["ownership"] == "na" or ownership == r["ownership"], rules))
|
||||
rules = list(
|
||||
filter(
|
||||
lambda r: r["membership"] == "na"
|
||||
or ORG_ROLES.index(membership) <= ORG_ROLES.index(r["membership"]),
|
||||
rules,
|
||||
)
|
||||
)
|
||||
rules = list(filter(lambda r: GROUPS.index(privilege) <= GROUPS.index(r["privilege"]), rules))
|
||||
resource = data["resource"]
|
||||
rules = list(
|
||||
filter(lambda r: not r["limit"] or eval(r["limit"], {"resource": resource}), rules)
|
||||
)
|
||||
if (
|
||||
not is_same_org(data["auth"]["organization"], data["resource"]["organization"])
|
||||
and context != "sandbox"
|
||||
):
|
||||
return False
|
||||
|
||||
return bool(rules)
|
||||
|
||||
|
||||
def get_data(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
data = {
|
||||
"scope": scope,
|
||||
"auth": {
|
||||
"user": {"id": random.randrange(0, 100), "privilege": privilege},
|
||||
"organization": {
|
||||
"id": random.randrange(100, 200),
|
||||
"owner": {"id": random.randrange(200, 300)},
|
||||
"user": {"role": membership},
|
||||
}
|
||||
if context == "organization"
|
||||
else None,
|
||||
},
|
||||
"resource": resource,
|
||||
}
|
||||
|
||||
user_id = data["auth"]["user"]["id"]
|
||||
if context == "organization":
|
||||
org_id = data["auth"]["organization"]["id"]
|
||||
if data["auth"]["organization"]["user"]["role"] == "owner":
|
||||
data["auth"]["organization"]["owner"]["id"] = user_id
|
||||
|
||||
if same_org:
|
||||
data["resource"]["organization"]["id"] = org_id
|
||||
|
||||
if ownership == "owner":
|
||||
data["resource"]["owner"]["id"] = user_id
|
||||
|
||||
if ownership == "assignee":
|
||||
data["resource"]["assignee"]["id"] = user_id
|
||||
|
||||
if ownership == "project:owner":
|
||||
data["resource"]["project"]["owner"]["id"] = user_id
|
||||
|
||||
if ownership == "project:assignee":
|
||||
data["resource"]["project"]["assignee"]["id"] = user_id
|
||||
|
||||
return data
|
||||
|
||||
|
||||
def _get_name(prefix, **kwargs):
|
||||
name = prefix
|
||||
for k, v in kwargs.items():
|
||||
prefix = "_" + str(k)
|
||||
if isinstance(v, dict):
|
||||
if "id" in v:
|
||||
v = v.copy()
|
||||
v.pop("id")
|
||||
if v:
|
||||
name += _get_name(prefix, **v)
|
||||
else:
|
||||
name += "".join(
|
||||
map(
|
||||
lambda c: c if c.isalnum() else {"@": "_IN_"}.get(c, "_"),
|
||||
f"{prefix}_{str(v).upper()}",
|
||||
)
|
||||
)
|
||||
|
||||
return name
|
||||
|
||||
|
||||
def get_name(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
return _get_name("test", **locals())
|
||||
|
||||
|
||||
def is_valid(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
if context == "sandbox" and membership:
|
||||
return False
|
||||
if scope == "list" and ownership != "None":
|
||||
return False
|
||||
if context == "sandbox" and same_org is False:
|
||||
return False
|
||||
if scope.startswith("create") and ownership in ["owner", "assignee"]:
|
||||
return False
|
||||
if scope in ["create", "import:backup"] and ownership != "None":
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def gen_test_rego(name):
|
||||
with open(f"{name}_test.gen.rego", "wt") as f:
|
||||
f.write(f"package {name}\n\n")
|
||||
for scope, context, ownership, privilege, membership, same_org in product(
|
||||
SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG
|
||||
):
|
||||
for resource in RESOURCES(scope):
|
||||
if not is_valid(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
):
|
||||
continue
|
||||
|
||||
data = get_data(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
)
|
||||
test_name = get_name(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
)
|
||||
result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
f.write(
|
||||
"{test_name} {{\n {allow} with input as {data}\n}}\n\n".format(
|
||||
test_name=test_name,
|
||||
allow="allow" if result else "not allow",
|
||||
data=json.dumps(data),
|
||||
)
|
||||
)
|
||||
|
||||
# Write the script which is used to generate the file
|
||||
with open(sys.argv[0]) as this_file:
|
||||
f.write(f"\n\n# {os.path.split(sys.argv[0])[1]}\n")
|
||||
for line in this_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
# Write rules which are used to generate the file
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as rego_file:
|
||||
f.write(f"\n\n# {name}.csv\n")
|
||||
for line in rego_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
|
||||
gen_test_rego(NAME)
|
||||
@ -0,0 +1,180 @@
|
||||
# Copyright (C) 2022 CVAT.ai Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
import csv
|
||||
import json
|
||||
import os
|
||||
import random
|
||||
import sys
|
||||
from itertools import product
|
||||
|
||||
NAME = "users"
|
||||
|
||||
|
||||
def read_rules(name):
|
||||
rules = []
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as f:
|
||||
reader = csv.DictReader(f)
|
||||
for row in reader:
|
||||
row = {k.lower(): v.lower().replace("n/a", "na") for k, v in row.items()}
|
||||
row["limit"] = row["limit"].replace("none", "None")
|
||||
found = False
|
||||
for col, val in row.items():
|
||||
if col in ["limit", "method", "url"]:
|
||||
continue
|
||||
complex_val = [v.strip() for v in val.split(",")]
|
||||
if len(complex_val) > 1:
|
||||
found = True
|
||||
for item in complex_val:
|
||||
new_row = row.copy()
|
||||
new_row[col] = item
|
||||
rules.append(new_row)
|
||||
if not found:
|
||||
rules.append(row)
|
||||
|
||||
return rules
|
||||
|
||||
|
||||
simple_rules = read_rules(NAME)
|
||||
|
||||
SCOPES = {rule["scope"] for rule in simple_rules}
|
||||
CONTEXTS = ["sandbox", "organization"]
|
||||
OWNERSHIPS = ["self", "none"]
|
||||
GROUPS = ["admin", "business", "user", "worker", "none"]
|
||||
ORG_ROLES = ["owner", "maintainer", "supervisor", "worker", None]
|
||||
|
||||
|
||||
def RESOURCES(scope):
|
||||
if scope == "list":
|
||||
return [None]
|
||||
else:
|
||||
return [
|
||||
{"id": random.randrange(300, 400), "membership": {"role": role}} for role in ORG_ROLES
|
||||
]
|
||||
|
||||
|
||||
def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
if privilege == "admin":
|
||||
return True
|
||||
|
||||
rules = list(filter(lambda r: scope == r["scope"], simple_rules))
|
||||
rules = list(filter(lambda r: r["context"] == "na" or context == r["context"], rules))
|
||||
rules = list(filter(lambda r: r["ownership"] == "na" or ownership == r["ownership"], rules))
|
||||
rules = list(
|
||||
filter(
|
||||
lambda r: r["membership"] == "na"
|
||||
or ORG_ROLES.index(membership) <= ORG_ROLES.index(r["membership"]),
|
||||
rules,
|
||||
)
|
||||
)
|
||||
rules = list(filter(lambda r: GROUPS.index(privilege) <= GROUPS.index(r["privilege"]), rules))
|
||||
resource = data["resource"]
|
||||
rules = list(
|
||||
filter(lambda r: not r["limit"] or eval(r["limit"], {"resource": resource}), rules)
|
||||
)
|
||||
|
||||
return bool(rules)
|
||||
|
||||
|
||||
def get_data(scope, context, ownership, privilege, membership, resource):
|
||||
data = {
|
||||
"scope": scope,
|
||||
"auth": {
|
||||
"user": {"id": random.randrange(0, 100), "privilege": privilege},
|
||||
"organization": {
|
||||
"id": random.randrange(100, 200),
|
||||
"owner": {"id": random.randrange(200, 300)},
|
||||
"user": {"role": membership},
|
||||
}
|
||||
if context == "organization"
|
||||
else None,
|
||||
},
|
||||
"resource": resource,
|
||||
}
|
||||
|
||||
user_id = data["auth"]["user"]["id"]
|
||||
if context == "organization":
|
||||
if data["auth"]["organization"]["user"]["role"] == "owner":
|
||||
data["auth"]["organization"]["owner"]["id"] = user_id
|
||||
|
||||
if ownership == "self":
|
||||
data["resource"]["id"] = user_id
|
||||
|
||||
return data
|
||||
|
||||
|
||||
def _get_name(prefix, **kwargs):
|
||||
name = prefix
|
||||
for k, v in kwargs.items():
|
||||
prefix = "_" + str(k)
|
||||
if isinstance(v, dict):
|
||||
if "id" in v:
|
||||
v = v.copy()
|
||||
v.pop("id")
|
||||
if v:
|
||||
name += _get_name(prefix, **v)
|
||||
else:
|
||||
name += f'{prefix}_{str(v).upper().replace(":", "_")}'
|
||||
|
||||
return name
|
||||
|
||||
|
||||
def get_name(scope, context, ownership, privilege, membership, resource):
|
||||
return _get_name("test", **locals())
|
||||
|
||||
|
||||
def is_valid(scope, context, ownership, privilege, membership, resource):
|
||||
if context == "sandbox" and membership:
|
||||
return False
|
||||
if scope == "list" and ownership != "None":
|
||||
return False
|
||||
if context == "sandbox" and resource["membership"]["role"] is not None:
|
||||
return False
|
||||
if context == "organization" and membership is None:
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def gen_test_rego(name):
|
||||
with open(f"{name}_test.gen.rego", "wt") as f:
|
||||
f.write(f"package {name}\n\n")
|
||||
for scope, context, ownership, privilege, membership in product(
|
||||
SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES
|
||||
):
|
||||
for resource in RESOURCES(scope):
|
||||
if not is_valid(scope, context, ownership, privilege, membership, resource):
|
||||
continue
|
||||
|
||||
data = get_data(scope, context, ownership, privilege, membership, resource)
|
||||
test_name = get_name(scope, context, ownership, privilege, membership, resource)
|
||||
result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
f.write(
|
||||
"{test_name} {{\n {allow} with input as {data}\n}}\n\n".format(
|
||||
test_name=test_name,
|
||||
allow="allow" if result else "not allow",
|
||||
data=json.dumps(data),
|
||||
)
|
||||
)
|
||||
|
||||
# Write the script which is used to generate the file
|
||||
with open(sys.argv[0]) as this_file:
|
||||
f.write(f"\n\n# {os.path.split(sys.argv[0])[1]}\n")
|
||||
for line in this_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
# Write rules which are used to generate the file
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as rego_file:
|
||||
f.write(f"\n\n# {name}.csv\n")
|
||||
for line in rego_file:
|
||||
if line.strip():
|
||||
f.write(f"# {line}")
|
||||
else:
|
||||
f.write(f"#\n")
|
||||
|
||||
|
||||
gen_test_rego(NAME)
|
||||
@ -0,0 +1,224 @@
|
||||
# Copyright (C) 2022 CVAT.ai Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
import csv
|
||||
import json
|
||||
import os
|
||||
import random
|
||||
import sys
|
||||
from itertools import product
|
||||
|
||||
NAME = "webhooks"
|
||||
|
||||
|
||||
def read_rules(name):
|
||||
rules = []
|
||||
with open(os.path.join(sys.argv[1], f"{name}.csv")) as f:
|
||||
reader = csv.DictReader(f)
|
||||
for row in reader:
|
||||
row = {k.lower(): v.lower().replace("n/a", "na") for k, v in row.items()}
|
||||
row["limit"] = row["limit"].replace("none", "None")
|
||||
found = False
|
||||
for col, val in row.items():
|
||||
if col in ["limit", "method", "url", "resource"]:
|
||||
continue
|
||||
complex_val = [v.strip() for v in val.split(",")]
|
||||
if len(complex_val) > 1:
|
||||
found = True
|
||||
for item in complex_val:
|
||||
new_row = row.copy()
|
||||
new_row[col] = item
|
||||
rules.append(new_row)
|
||||
if not found:
|
||||
rules.append(row)
|
||||
return rules
|
||||
|
||||
|
||||
random.seed(42)
|
||||
simple_rules = read_rules(NAME)
|
||||
SCOPES = list({rule["scope"] for rule in simple_rules})
|
||||
CONTEXTS = ["sandbox", "organization"]
|
||||
OWNERSHIPS = ["project:owner", "owner", "none"]
|
||||
GROUPS = ["admin", "business", "user", "worker", "none"]
|
||||
ORG_ROLES = ["owner", "maintainer", "supervisor", "worker", None]
|
||||
SAME_ORG = [True, False]
|
||||
|
||||
|
||||
def RESOURCES(scope):
|
||||
if scope == "list":
|
||||
return [None]
|
||||
elif scope == "create@project":
|
||||
return [
|
||||
{
|
||||
"owner": {"id": random.randrange(100, 200)},
|
||||
"assignee": {"id": random.randrange(200, 300)},
|
||||
"organization": {"id": random.randrange(300, 400)},
|
||||
"project": {"owner": {"id": random.randrange(400, 500)}},
|
||||
"num_resources": count,
|
||||
}
|
||||
for count in (0, 3, 10)
|
||||
]
|
||||
elif scope == "create@organization":
|
||||
return [
|
||||
{
|
||||
"owner": {"id": random.randrange(100, 200)},
|
||||
"assignee": {"id": random.randrange(200, 300)},
|
||||
"organization": {"id": random.randrange(300, 400)},
|
||||
"project": None,
|
||||
"num_resources": count,
|
||||
}
|
||||
for count in (0, 3, 10)
|
||||
]
|
||||
else:
|
||||
return [
|
||||
{
|
||||
"id": random.randrange(100, 200),
|
||||
"owner": {"id": random.randrange(200, 300)},
|
||||
"organization": {"id": random.randrange(300, 400)},
|
||||
"project": {"owner": {"id": random.randrange(400, 500)}},
|
||||
}
|
||||
]
|
||||
|
||||
|
||||
def is_same_org(org1, org2):
|
||||
if org1 is not None and org2 is not None:
|
||||
return org1["id"] == org2["id"]
|
||||
elif org1 is None and org2 is None:
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
def eval_rule(scope, context, ownership, privilege, membership, data):
|
||||
if privilege == "admin":
|
||||
return True
|
||||
|
||||
rules = list(
|
||||
filter(
|
||||
lambda r: scope == r["scope"]
|
||||
and (r["context"] == "na" or context == r["context"])
|
||||
and (r["ownership"] == "na" or ownership == r["ownership"])
|
||||
and (
|
||||
r["membership"] == "na"
|
||||
or ORG_ROLES.index(membership) <= ORG_ROLES.index(r["membership"])
|
||||
)
|
||||
and GROUPS.index(privilege) <= GROUPS.index(r["privilege"]),
|
||||
simple_rules,
|
||||
)
|
||||
)
|
||||
|
||||
resource = data["resource"]
|
||||
|
||||
rules = list(
|
||||
filter(lambda r: not r["limit"] or eval(r["limit"], {"resource": resource}), rules)
|
||||
)
|
||||
if (
|
||||
not is_same_org(data["auth"]["organization"], data["resource"]["organization"])
|
||||
and context != "sandbox"
|
||||
):
|
||||
return False
|
||||
return bool(rules)
|
||||
|
||||
|
||||
def get_data(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
data = {
|
||||
"scope": scope,
|
||||
"auth": {
|
||||
"user": {"id": random.randrange(0, 100), "privilege": privilege},
|
||||
"organization": {
|
||||
"id": random.randrange(100, 200),
|
||||
"owner": {"id": random.randrange(200, 300)},
|
||||
"user": {"role": membership},
|
||||
}
|
||||
if context == "organization"
|
||||
else None,
|
||||
},
|
||||
"resource": resource,
|
||||
}
|
||||
|
||||
user_id = data["auth"]["user"]["id"]
|
||||
|
||||
if context == "organization":
|
||||
org_id = data["auth"]["organization"]["id"]
|
||||
if data["auth"]["organization"]["user"]["role"] == "owner":
|
||||
data["auth"]["organization"]["owner"]["id"] = user_id
|
||||
if same_org:
|
||||
data["resource"]["organization"]["id"] = org_id
|
||||
|
||||
if ownership == "owner":
|
||||
data["resource"]["owner"]["id"] = user_id
|
||||
|
||||
if ownership == "project:owner":
|
||||
data["resource"]["project"]["owner"]["id"] = user_id
|
||||
|
||||
return data
|
||||
|
||||
|
||||
def _get_name(prefix, **kwargs):
|
||||
name = prefix
|
||||
for k, v in kwargs.items():
|
||||
prefix = "_" + str(k)
|
||||
if isinstance(v, dict):
|
||||
if "id" in v:
|
||||
v = v.copy()
|
||||
v.pop("id")
|
||||
if v:
|
||||
name += _get_name(prefix, **v)
|
||||
else:
|
||||
name += "".join(
|
||||
map(
|
||||
lambda c: c if c.isalnum() else {"@": "_IN_"}.get(c, "_"),
|
||||
f"{prefix}_{str(v).upper()}",
|
||||
)
|
||||
)
|
||||
return name
|
||||
|
||||
|
||||
def get_name(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
return _get_name("test", **locals())
|
||||
|
||||
|
||||
def is_valid(scope, context, ownership, privilege, membership, resource, same_org):
|
||||
if context == "sandbox" and membership:
|
||||
return False
|
||||
if scope == "list" and ownership != "None":
|
||||
return False
|
||||
if context == "sandbox" and not same_org:
|
||||
return False
|
||||
if scope.startswith("create") and ownership != "None":
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def gen_test_rego(name):
|
||||
with open(f"{name}_test.gen.rego", "wt") as f:
|
||||
f.write(f"package {name}\n\n")
|
||||
for scope, context, ownership, privilege, membership, same_org in product(
|
||||
SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG
|
||||
):
|
||||
for resource in RESOURCES(scope):
|
||||
|
||||
if not is_valid(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
):
|
||||
continue
|
||||
|
||||
data = get_data(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
)
|
||||
test_name = get_name(
|
||||
scope, context, ownership, privilege, membership, resource, same_org
|
||||
)
|
||||
result = eval_rule(scope, context, ownership, privilege, membership, data)
|
||||
|
||||
f.write(
|
||||
"{test_name} {{\n {allow} with input as {data}\n}}\n\n".format(
|
||||
test_name=test_name,
|
||||
allow="allow" if result else "not allow",
|
||||
data=json.dumps(data),
|
||||
)
|
||||
)
|
||||
|
||||
|
||||
gen_test_rego(NAME)
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue