]>
Commit | Line | Data |
---|---|---|
1 | AT_BANNER([OVSDB -- ovsdb-server rbac]) | |
2 | ||
3 | AT_SETUP([ovsdb-server/rbac 2]) | |
4 | AT_KEYWORDS([ovsdb server rbac]) | |
5 | AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) | |
6 | ||
7 | RBAC_PKIDIR="$(pwd)" | |
8 | RBAC_PKI="sh $abs_top_srcdir/utilities/ovs-pki.in --dir=$RBAC_PKIDIR/pki --log=$RBAC_PKIDIR/rbac-pki.log" | |
9 | $RBAC_PKI init | |
10 | $RBAC_PKI req+sign ovsdb-server switch | |
11 | $RBAC_PKI -u req+sign client-1 switch | |
12 | $RBAC_PKI -u req+sign client-2 switch | |
13 | ||
14 | AT_DATA([schema], | |
15 | [[{"name": "mydb", | |
16 | "tables": { | |
17 | "Root": { | |
18 | "columns": { | |
19 | "connections": { | |
20 | "type": { | |
21 | "key": {"type": "uuid", "refTable": "Connection"}, | |
22 | "min": 0, | |
23 | "max": "unlimited"}}}, | |
24 | "isRoot": true}, | |
25 | "Connection": { | |
26 | "columns": { | |
27 | "target": { | |
28 | "type": "string"}, | |
29 | "role": { | |
30 | "type": "string"}}}, | |
31 | "RBAC_Role": { | |
32 | "columns": { | |
33 | "name": {"type": "string"}, | |
34 | "permissions": { | |
35 | "type": {"key": {"type": "string"}, | |
36 | "value": {"type": "uuid", | |
37 | "refTable": "RBAC_Permission", | |
38 | "refType": "weak"}, | |
39 | "min": 0, "max": "unlimited"}}}, | |
40 | "isRoot": true}, | |
41 | "RBAC_Permission": { | |
42 | "columns": { | |
43 | "table": {"type": "string"}, | |
44 | "authorization": {"type": {"key": "string", | |
45 | "min": 0, | |
46 | "max": "unlimited"}}, | |
47 | "insert_delete": {"type": "boolean"}, | |
48 | "update" : {"type": {"key": "string", | |
49 | "min": 0, | |
50 | "max": "unlimited"}}}, | |
51 | "isRoot": true}, | |
52 | "fixed_colors": { | |
53 | "columns": { | |
54 | "name": {"type": "string"}, "value": {"type": "integer"}}, | |
55 | "indexes": [["name"]], | |
56 | "isRoot": true}, | |
57 | "user_colors": { | |
58 | "columns": { | |
59 | "creator": {"type": "string"}, | |
60 | "name": {"type": "string"}, | |
61 | "value": {"type": "integer"}}, | |
62 | "indexes": [["name"]], | |
63 | "isRoot": true}, | |
64 | "other_colors": { | |
65 | "columns": { | |
66 | "creator": { | |
67 | "type": {"key": {"type": "string"}, | |
68 | "value": {"type": "string"}, | |
69 | "min": 0, "max": "unlimited"}}, | |
70 | "name": {"type": "string"}, | |
71 | "value": {"type": "integer"}}, | |
72 | "indexes": [["name"]], | |
73 | "isRoot": true} | |
74 | }, | |
75 | "version": "5.1.3", | |
76 | "cksum": "12345678 9" | |
77 | } | |
78 | ]]) | |
79 | ||
80 | AT_CHECK([ovsdb-tool create db schema], [0], [ignore], [ignore]) | |
81 | AT_CHECK( | |
82 | [[ovsdb-tool transact db \ | |
83 | '["mydb", | |
84 | {"op": "insert", | |
85 | "table": "Root", | |
86 | "row": { | |
87 | "connections": ["set", [["named-uuid", "x"]]]}}, | |
88 | {"op": "insert", | |
89 | "table": "Connection", | |
90 | "uuid-name": "x", | |
91 | "row": {"target": "pssl:0:127.0.0.1", | |
92 | "role": "testrole"}}, | |
93 | {"op": "insert", | |
94 | "table": "fixed_colors", | |
95 | "row": {"name": "red", | |
96 | "value": '16711680'}}, | |
97 | {"op": "insert", | |
98 | "table": "RBAC_Role", | |
99 | "row": {"name": "testrole", | |
100 | "permissions": ["map", [["user_colors", ["named-uuid", "y"]], | |
101 | ["other_colors", ["named-uuid", "z"]]]]}}, | |
102 | {"op": "insert", | |
103 | "table": "RBAC_Permission", | |
104 | "uuid-name": "y", | |
105 | "row": {"authorization": "creator", | |
106 | "insert_delete": true, | |
107 | "table": "user_colors", | |
108 | "update": ["set", ["name", "value"]]}}, | |
109 | {"op": "insert", | |
110 | "table": "RBAC_Permission", | |
111 | "uuid-name": "z", | |
112 | "row": {"authorization": "creator:chassis", | |
113 | "insert_delete": true, | |
114 | "table": "user_colors", | |
115 | "update": ["set", ["name", "value"]]}} | |
116 | ]']], [0], [ignore], [ignore]) | |
117 | ||
118 | AT_CHECK([ovsdb-server --log-file --detach --no-chdir --pidfile --remote=db:mydb,Root,connections \ | |
119 | --private-key=$RBAC_PKIDIR/ovsdb-server-privkey.pem \ | |
120 | --certificate=$RBAC_PKIDIR/ovsdb-server-cert.pem \ | |
121 | --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \ | |
122 | db], [0], [ignore], [ignore]) | |
123 | PARSE_LISTENING_PORT([ovsdb-server.log], [SSL_PORT]) | |
124 | ||
125 | # Test 1: | |
126 | # Attempt to insert a row into the "fixed_colors" table. This should | |
127 | # fail as there are no permissions for role "testrole" for this table. | |
128 | AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \ | |
129 | --private-key=$RBAC_PKIDIR/client-1-privkey.pem \ | |
130 | --certificate=$RBAC_PKIDIR/client-1-cert.pem \ | |
131 | --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \ | |
132 | ['["mydb", | |
133 | {"op": "insert", | |
134 | "table": "fixed_colors", | |
135 | "row": {"name": "chartreuse", "value": '8388352'}} | |
136 | ]']], [0], [stdout], [ignore]) | |
137 | cat stdout >> output | |
138 | AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-1\" role \"testrole\" prohibit row insertion into table \"fixed_colors\".","error":"permission error"}]] | |
139 | ], [ignore]) | |
140 | ||
141 | # Test 2: | |
142 | # Attempt to insert a row into the "user_colors" table with a client ID that | |
143 | # does not match the value in the column used for authorization. This should | |
144 | # fail the authorization check for insertion. | |
145 | AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \ | |
146 | --private-key=$RBAC_PKIDIR/client-1-privkey.pem \ | |
147 | --certificate=$RBAC_PKIDIR/client-1-cert.pem \ | |
148 | --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \ | |
149 | ['["mydb", | |
150 | {"op": "insert", | |
151 | "table": "user_colors", | |
152 | "row": {"creator": "client-2", "name": "chartreuse", "value": '8388352'}} | |
153 | ]']], [0], [stdout], [ignore]) | |
154 | cat stdout >> output | |
155 | AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-1\" role \"testrole\" prohibit row insertion into table \"user_colors\".","error":"permission error"}]] | |
156 | ], [ignore]) | |
157 | ||
158 | # Test 3: | |
159 | # Attempt to insert a row into the "user_colors" table. This should | |
160 | # succeed since role "testrole" has permissions for this table that | |
161 | # allow row insertion. | |
162 | AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \ | |
163 | --private-key=$RBAC_PKIDIR/client-1-privkey.pem \ | |
164 | --certificate=$RBAC_PKIDIR/client-1-cert.pem \ | |
165 | --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \ | |
166 | ['["mydb", | |
167 | {"op": "insert", | |
168 | "table": "user_colors", | |
169 | "row": {"creator": "client-1", "name": "chartreuse", "value": '8388352'}} | |
170 | ]']], [0], [stdout], [ignore]) | |
171 | cat stdout >> output | |
172 | AT_CHECK([uuidfilt stdout], [0], [[[{"uuid":["uuid","<0>"]}]] | |
173 | ], [ignore]) | |
174 | ||
175 | # Test 4: | |
176 | # Attempt to update a column in the "user_colors" table. This should | |
177 | # succeed since role "testrole" has permissions for this table that | |
178 | # allow update of the "value" column when ID is equal to the value in | |
179 | # the "creator" column. | |
180 | AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \ | |
181 | --private-key=$RBAC_PKIDIR/client-1-privkey.pem \ | |
182 | --certificate=$RBAC_PKIDIR/client-1-cert.pem \ | |
183 | --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \ | |
184 | ['["mydb", | |
185 | {"op": "update", | |
186 | "table": "user_colors", | |
187 | "where": [["name", "==", "chartreuse"]], | |
188 | "row": {"value": '8388353'}} | |
189 | ]']], [0], [stdout], [ignore]) | |
190 | cat stdout >> output | |
191 | AT_CHECK([uuidfilt stdout], [0], [[[{"count":1}]] | |
192 | ], [ignore]) | |
193 | ||
194 | # Test 5: | |
195 | # Attempt to update a column in the "user_colors" table. Same as | |
196 | # previous test, but with a different client ID. This should fail | |
197 | # the RBAC authorization test because "client-2" does not match the | |
198 | # "creator" column for this row. | |
199 | AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \ | |
200 | --private-key=$RBAC_PKIDIR/client-2-privkey.pem \ | |
201 | --certificate=$RBAC_PKIDIR/client-2-cert.pem \ | |
202 | --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \ | |
203 | ['["mydb", | |
204 | {"op": "update", | |
205 | "table": "user_colors", | |
206 | "where": [["name", "==", "chartreuse"]], | |
207 | "row": {"value": '8388354'}} | |
208 | ]']], [0], [stdout], [ignore]) | |
209 | cat stdout >> output | |
210 | AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit modification of table \"user_colors\".","error":"permission error"}]] | |
211 | ], [ignore]) | |
212 | ||
213 | # Test 6: | |
214 | # Attempt to mutate a column in the "user_colors" table. This should | |
215 | # succeed since role "testrole" has permissions for this table that | |
216 | # allow update of the "value" column when ID is equal to the value in | |
217 | # the "creator" column. | |
218 | AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \ | |
219 | --private-key=$RBAC_PKIDIR/client-1-privkey.pem \ | |
220 | --certificate=$RBAC_PKIDIR/client-1-cert.pem \ | |
221 | --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \ | |
222 | ['["mydb", | |
223 | {"op": "mutate", | |
224 | "table": "user_colors", | |
225 | "where": [["name", "==", "chartreuse"]], | |
226 | "mutations": [["value", "+=", '10']]} | |
227 | ]']], [0], [stdout], [ignore]) | |
228 | cat stdout >> output | |
229 | AT_CHECK([uuidfilt stdout], [0], [[[{"count":1}]] | |
230 | ], [ignore]) | |
231 | ||
232 | # Test 7: | |
233 | # Attempt to mutate a column in the "user_colors" table. Same as | |
234 | # previous test, but with a different client ID. This should fail | |
235 | # the RBAC authorization test because "client-2" does not match the | |
236 | # "creator" column for this row. | |
237 | AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \ | |
238 | --private-key=$RBAC_PKIDIR/client-2-privkey.pem \ | |
239 | --certificate=$RBAC_PKIDIR/client-2-cert.pem \ | |
240 | --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \ | |
241 | ['["mydb", | |
242 | {"op": "mutate", | |
243 | "table": "user_colors", | |
244 | "where": [["name", "==", "chartreuse"]], | |
245 | "mutations": [["value", "+=", '10']]} | |
246 | ]']], [0], [stdout], [ignore]) | |
247 | cat stdout >> output | |
248 | AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit mutate operation on table \"user_colors\".","error":"permission error"}]] | |
249 | ], [ignore]) | |
250 | ||
251 | # Test 8: | |
252 | # Attempt to delete a row from the "user_colors" table. This should fail | |
253 | # the RBAC authorization test because "client-2" does not match the | |
254 | # "creator" column for this row. | |
255 | AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \ | |
256 | --private-key=$RBAC_PKIDIR/client-2-privkey.pem \ | |
257 | --certificate=$RBAC_PKIDIR/client-2-cert.pem \ | |
258 | --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \ | |
259 | ['["mydb", | |
260 | {"op": "delete", | |
261 | "table": "user_colors", | |
262 | "where": [["name", "==", "chartreuse"]]} | |
263 | ]']], [0], [stdout], [ignore]) | |
264 | cat stdout >> output | |
265 | AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit row deletion from table \"user_colors\".","error":"permission error"}]] | |
266 | ], [ignore]) | |
267 | ||
268 | # Test 9: | |
269 | # Attempt to delete a row from the "user_colors" table. This should pass | |
270 | # the RBAC authorization test because "client-1" does matches the | |
271 | # "creator" column for this row. | |
272 | AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \ | |
273 | --private-key=$RBAC_PKIDIR/client-1-privkey.pem \ | |
274 | --certificate=$RBAC_PKIDIR/client-1-cert.pem \ | |
275 | --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \ | |
276 | ['["mydb", | |
277 | {"op": "delete", | |
278 | "table": "user_colors", | |
279 | "where": [["name", "==", "chartreuse"]]} | |
280 | ]']], [0], [stdout], [ignore]) | |
281 | cat stdout >> output | |
282 | AT_CHECK([uuidfilt stdout], [0], [[[{"count":1}]] | |
283 | ], [ignore]) | |
284 | ||
285 | # Test 10: | |
286 | # Attempt to insert a row into the "other_colors" table. This should | |
287 | # succeed since role "testrole" has permissions for this table that | |
288 | # allow row insertion. | |
289 | AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \ | |
290 | --private-key=$RBAC_PKIDIR/client-1-privkey.pem \ | |
291 | --certificate=$RBAC_PKIDIR/client-1-cert.pem \ | |
292 | --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \ | |
293 | ['["mydb", | |
294 | {"op": "insert", | |
295 | "table": "other_colors", | |
296 | "row": {"creator": ["map",[["chassis", "client-1"]]], "name": "seafoam", "value": '7466680'}} | |
297 | ]']], [0], [stdout], [ignore]) | |
298 | cat stdout >> output | |
299 | AT_CHECK([uuidfilt stdout], [0], [[[{"uuid":["uuid","<0>"]}]] | |
300 | ], [ignore]) | |
301 | ||
302 | # Test 11: | |
303 | # Attempt to update a column in the "user_colors" table. This should | |
304 | # succeed since role "testrole" has permissions for this table that | |
305 | # allow update of the "value" column when ID is equal to the value in | |
306 | # the "creator" column. | |
307 | AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \ | |
308 | --private-key=$RBAC_PKIDIR/client-1-privkey.pem \ | |
309 | --certificate=$RBAC_PKIDIR/client-1-cert.pem \ | |
310 | --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \ | |
311 | ['["mydb", | |
312 | {"op": "update", | |
313 | "table": "other_colors", | |
314 | "where": [["name", "==", "seafoam"]], | |
315 | "row": {"value": '8388353'}} | |
316 | ]']], [0], [stdout], [ignore]) | |
317 | cat stdout >> output | |
318 | AT_CHECK([uuidfilt stdout], [0], [[[{"count":1}]] | |
319 | ], [ignore]) | |
320 | ||
321 | # Test 12: | |
322 | # Attempt to update a column in the "other_colors" table. Same as | |
323 | # previous test, but with a different client ID. This should fail | |
324 | # the RBAC authorization test because "client-2" does not match the | |
325 | # "creator" column for this row. | |
326 | AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \ | |
327 | --private-key=$RBAC_PKIDIR/client-2-privkey.pem \ | |
328 | --certificate=$RBAC_PKIDIR/client-2-cert.pem \ | |
329 | --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \ | |
330 | ['["mydb", | |
331 | {"op": "update", | |
332 | "table": "other_colors", | |
333 | "where": [["name", "==", "seafoam"]], | |
334 | "row": {"value": '8388354'}} | |
335 | ]']], [0], [stdout], [ignore]) | |
336 | cat stdout >> output | |
337 | AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit modification of table \"other_colors\".","error":"permission error"}]] | |
338 | ], [ignore]) | |
339 | ||
340 | # Test 13: | |
341 | # Attempt to delete a row from the "other_colors" table. This should fail | |
342 | # the RBAC authorization test because "client-2" does not match the | |
343 | # "creator" column for this row. | |
344 | AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \ | |
345 | --private-key=$RBAC_PKIDIR/client-2-privkey.pem \ | |
346 | --certificate=$RBAC_PKIDIR/client-2-cert.pem \ | |
347 | --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \ | |
348 | ['["mydb", | |
349 | {"op": "delete", | |
350 | "table": "other_colors", | |
351 | "where": [["name", "==", "seafoam"]]} | |
352 | ]']], [0], [stdout], [ignore]) | |
353 | cat stdout >> output | |
354 | AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit row deletion from table \"other_colors\".","error":"permission error"}]] | |
355 | ], [ignore]) | |
356 | ||
357 | # Test 14: | |
358 | # Attempt to delete a row from the "other_colors" table. This should pass | |
359 | # the RBAC authorization test because "client-1" does matches the | |
360 | # "creator" column for this row. | |
361 | AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \ | |
362 | --private-key=$RBAC_PKIDIR/client-1-privkey.pem \ | |
363 | --certificate=$RBAC_PKIDIR/client-1-cert.pem \ | |
364 | --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \ | |
365 | ['["mydb", | |
366 | {"op": "delete", | |
367 | "table": "other_colors", | |
368 | "where": [["name", "==", "seafoam"]]} | |
369 | ]']], [0], [stdout], [ignore]) | |
370 | cat stdout >> output | |
371 | AT_CHECK([uuidfilt stdout], [0], [[[{"count":1}]] | |
372 | ], [ignore]) | |
373 | ||
374 | OVSDB_SERVER_SHUTDOWN | |
375 | AT_CLEANUP |