]> git.proxmox.com Git - ovs.git/blob - tests/ovsdb-rbac.at
system-kmod-macros: Load TFTP module.
[ovs.git] / tests / ovsdb-rbac.at
1 AT_BANNER([OVSDB -- ovsdb-server rbac])
2
3 AT_SETUP([ovsdb-server/rbac 2])
4 AT_KEYWORDS([ovsdb server rbac])
5 AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
6
7 RBAC_PKIDIR="$(pwd)"
8 RBAC_PKI="sh $abs_top_srcdir/utilities/ovs-pki.in --dir=$RBAC_PKIDIR/pki --log=$RBAC_PKIDIR/rbac-pki.log"
9 $RBAC_PKI -B 1024 init
10 $RBAC_PKI -B 1024 req+sign ovsdb-server switch
11 $RBAC_PKI -B 1024 -u req+sign client-1 switch
12 $RBAC_PKI -B 1024 -u req+sign client-2 switch
13
14 AT_DATA([schema],
15 [[{"name": "mydb",
16 "tables": {
17 "Root": {
18 "columns": {
19 "connections": {
20 "type": {
21 "key": {"type": "uuid", "refTable": "Connection"},
22 "min": 0,
23 "max": "unlimited"}}},
24 "isRoot": true},
25 "Connection": {
26 "columns": {
27 "target": {
28 "type": "string"},
29 "role": {
30 "type": "string"}}},
31 "RBAC_Role": {
32 "columns": {
33 "name": {"type": "string"},
34 "permissions": {
35 "type": {"key": {"type": "string"},
36 "value": {"type": "uuid",
37 "refTable": "RBAC_Permission",
38 "refType": "weak"},
39 "min": 0, "max": "unlimited"}}},
40 "isRoot": true},
41 "RBAC_Permission": {
42 "columns": {
43 "table": {"type": "string"},
44 "authorization": {"type": {"key": "string",
45 "min": 0,
46 "max": "unlimited"}},
47 "insert_delete": {"type": "boolean"},
48 "update" : {"type": {"key": "string",
49 "min": 0,
50 "max": "unlimited"}}},
51 "isRoot": true},
52 "fixed_colors": {
53 "columns": {
54 "name": {"type": "string"}, "value": {"type": "integer"}},
55 "indexes": [["name"]],
56 "isRoot": true},
57 "user_colors": {
58 "columns": {
59 "creator": {"type": "string"},
60 "name": {"type": "string"},
61 "value": {"type": "integer"}},
62 "indexes": [["name"]],
63 "isRoot": true},
64 "other_colors": {
65 "columns": {
66 "creator": {
67 "type": {"key": {"type": "string"},
68 "value": {"type": "string"},
69 "min": 0, "max": "unlimited"}},
70 "name": {"type": "string"},
71 "value": {"type": "integer"}},
72 "indexes": [["name"]],
73 "isRoot": true}
74 },
75 "version": "5.1.3",
76 "cksum": "12345678 9"
77 }
78 ]])
79
80 AT_CHECK([ovsdb-tool create db schema], [0], [ignore], [ignore])
81 AT_CHECK(
82 [[ovsdb-tool transact db \
83 '["mydb",
84 {"op": "insert",
85 "table": "Root",
86 "row": {
87 "connections": ["set", [["named-uuid", "x"]]]}},
88 {"op": "insert",
89 "table": "Connection",
90 "uuid-name": "x",
91 "row": {"target": "pssl:0:127.0.0.1",
92 "role": "testrole"}},
93 {"op": "insert",
94 "table": "fixed_colors",
95 "row": {"name": "red",
96 "value": '16711680'}},
97 {"op": "insert",
98 "table": "RBAC_Role",
99 "row": {"name": "testrole",
100 "permissions": ["map", [["user_colors", ["named-uuid", "y"]],
101 ["other_colors", ["named-uuid", "z"]]]]}},
102 {"op": "insert",
103 "table": "RBAC_Permission",
104 "uuid-name": "y",
105 "row": {"authorization": "creator",
106 "insert_delete": true,
107 "table": "user_colors",
108 "update": ["set", ["name", "value"]]}},
109 {"op": "insert",
110 "table": "RBAC_Permission",
111 "uuid-name": "z",
112 "row": {"authorization": "creator:chassis",
113 "insert_delete": true,
114 "table": "user_colors",
115 "update": ["set", ["name", "value"]]}}
116 ]']], [0], [ignore], [ignore])
117
118 AT_CHECK([ovsdb-server --log-file --detach --no-chdir --pidfile --remote=db:mydb,Root,connections \
119 --private-key=$RBAC_PKIDIR/ovsdb-server-privkey.pem \
120 --certificate=$RBAC_PKIDIR/ovsdb-server-cert.pem \
121 --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
122 db], [0], [ignore], [ignore])
123 PARSE_LISTENING_PORT([ovsdb-server.log], [SSL_PORT])
124
125 # Test 1:
126 # Attempt to insert a row into the "fixed_colors" table. This should
127 # fail as there are no permissions for role "testrole" for this table.
128 AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
129 --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
130 --certificate=$RBAC_PKIDIR/client-1-cert.pem \
131 --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
132 ['["mydb",
133 {"op": "insert",
134 "table": "fixed_colors",
135 "row": {"name": "chartreuse", "value": '8388352'}}
136 ]']], [0], [stdout], [ignore])
137 cat stdout >> output
138 AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-1\" role \"testrole\" prohibit row insertion into table \"fixed_colors\".","error":"permission error"}]]
139 ], [ignore])
140
141 # Test 2:
142 # Attempt to insert a row into the "user_colors" table with a client ID that
143 # does not match the value in the column used for authorization. This should
144 # fail the authorization check for insertion.
145 AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
146 --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
147 --certificate=$RBAC_PKIDIR/client-1-cert.pem \
148 --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
149 ['["mydb",
150 {"op": "insert",
151 "table": "user_colors",
152 "row": {"creator": "client-2", "name": "chartreuse", "value": '8388352'}}
153 ]']], [0], [stdout], [ignore])
154 cat stdout >> output
155 AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-1\" role \"testrole\" prohibit row insertion into table \"user_colors\".","error":"permission error"}]]
156 ], [ignore])
157
158 # Test 3:
159 # Attempt to insert a row into the "user_colors" table. This should
160 # succeed since role "testrole" has permissions for this table that
161 # allow row insertion.
162 AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
163 --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
164 --certificate=$RBAC_PKIDIR/client-1-cert.pem \
165 --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
166 ['["mydb",
167 {"op": "insert",
168 "table": "user_colors",
169 "row": {"creator": "client-1", "name": "chartreuse", "value": '8388352'}}
170 ]']], [0], [stdout], [ignore])
171 cat stdout >> output
172 AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"uuid":["uuid","<0>"]}]]
173 ], [ignore])
174
175 # Test 4:
176 # Attempt to update a column in the "user_colors" table. This should
177 # succeed since role "testrole" has permissions for this table that
178 # allow update of the "value" column when ID is equal to the value in
179 # the "creator" column.
180 AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
181 --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
182 --certificate=$RBAC_PKIDIR/client-1-cert.pem \
183 --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
184 ['["mydb",
185 {"op": "update",
186 "table": "user_colors",
187 "where": [["name", "==", "chartreuse"]],
188 "row": {"value": '8388353'}}
189 ]']], [0], [stdout], [ignore])
190 cat stdout >> output
191 AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"count":1}]]
192 ], [ignore])
193
194 # Test 5:
195 # Attempt to update a column in the "user_colors" table. Same as
196 # previous test, but with a different client ID. This should fail
197 # the RBAC authorization test because "client-2" does not match the
198 # "creator" column for this row.
199 AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
200 --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
201 --certificate=$RBAC_PKIDIR/client-2-cert.pem \
202 --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
203 ['["mydb",
204 {"op": "update",
205 "table": "user_colors",
206 "where": [["name", "==", "chartreuse"]],
207 "row": {"value": '8388354'}}
208 ]']], [0], [stdout], [ignore])
209 cat stdout >> output
210 AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit modification of table \"user_colors\".","error":"permission error"}]]
211 ], [ignore])
212
213 # Test 6:
214 # Attempt to mutate a column in the "user_colors" table. This should
215 # succeed since role "testrole" has permissions for this table that
216 # allow update of the "value" column when ID is equal to the value in
217 # the "creator" column.
218 AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
219 --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
220 --certificate=$RBAC_PKIDIR/client-1-cert.pem \
221 --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
222 ['["mydb",
223 {"op": "mutate",
224 "table": "user_colors",
225 "where": [["name", "==", "chartreuse"]],
226 "mutations": [["value", "+=", '10']]}
227 ]']], [0], [stdout], [ignore])
228 cat stdout >> output
229 AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"count":1}]]
230 ], [ignore])
231
232 # Test 7:
233 # Attempt to mutate a column in the "user_colors" table. Same as
234 # previous test, but with a different client ID. This should fail
235 # the RBAC authorization test because "client-2" does not match the
236 # "creator" column for this row.
237 AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
238 --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
239 --certificate=$RBAC_PKIDIR/client-2-cert.pem \
240 --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
241 ['["mydb",
242 {"op": "mutate",
243 "table": "user_colors",
244 "where": [["name", "==", "chartreuse"]],
245 "mutations": [["value", "+=", '10']]}
246 ]']], [0], [stdout], [ignore])
247 cat stdout >> output
248 AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit mutate operation on table \"user_colors\".","error":"permission error"}]]
249 ], [ignore])
250
251 # Test 8:
252 # Attempt to delete a row from the "user_colors" table. This should fail
253 # the RBAC authorization test because "client-2" does not match the
254 # "creator" column for this row.
255 AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
256 --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
257 --certificate=$RBAC_PKIDIR/client-2-cert.pem \
258 --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
259 ['["mydb",
260 {"op": "delete",
261 "table": "user_colors",
262 "where": [["name", "==", "chartreuse"]]}
263 ]']], [0], [stdout], [ignore])
264 cat stdout >> output
265 AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit row deletion from table \"user_colors\".","error":"permission error"}]]
266 ], [ignore])
267
268 # Test 9:
269 # Attempt to delete a row from the "user_colors" table. This should pass
270 # the RBAC authorization test because "client-1" does matches the
271 # "creator" column for this row.
272 AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
273 --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
274 --certificate=$RBAC_PKIDIR/client-1-cert.pem \
275 --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
276 ['["mydb",
277 {"op": "delete",
278 "table": "user_colors",
279 "where": [["name", "==", "chartreuse"]]}
280 ]']], [0], [stdout], [ignore])
281 cat stdout >> output
282 AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"count":1}]]
283 ], [ignore])
284
285 # Test 10:
286 # Attempt to insert a row into the "other_colors" table. This should
287 # succeed since role "testrole" has permissions for this table that
288 # allow row insertion.
289 AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
290 --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
291 --certificate=$RBAC_PKIDIR/client-1-cert.pem \
292 --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
293 ['["mydb",
294 {"op": "insert",
295 "table": "other_colors",
296 "row": {"creator": ["map",[["chassis", "client-1"]]], "name": "seafoam", "value": '7466680'}}
297 ]']], [0], [stdout], [ignore])
298 cat stdout >> output
299 AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"uuid":["uuid","<0>"]}]]
300 ], [ignore])
301
302 # Test 11:
303 # Attempt to update a column in the "user_colors" table. This should
304 # succeed since role "testrole" has permissions for this table that
305 # allow update of the "value" column when ID is equal to the value in
306 # the "creator" column.
307 AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
308 --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
309 --certificate=$RBAC_PKIDIR/client-1-cert.pem \
310 --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
311 ['["mydb",
312 {"op": "update",
313 "table": "other_colors",
314 "where": [["name", "==", "seafoam"]],
315 "row": {"value": '8388353'}}
316 ]']], [0], [stdout], [ignore])
317 cat stdout >> output
318 AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"count":1}]]
319 ], [ignore])
320
321 # Test 12:
322 # Attempt to update a column in the "other_colors" table. Same as
323 # previous test, but with a different client ID. This should fail
324 # the RBAC authorization test because "client-2" does not match the
325 # "creator" column for this row.
326 AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
327 --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
328 --certificate=$RBAC_PKIDIR/client-2-cert.pem \
329 --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
330 ['["mydb",
331 {"op": "update",
332 "table": "other_colors",
333 "where": [["name", "==", "seafoam"]],
334 "row": {"value": '8388354'}}
335 ]']], [0], [stdout], [ignore])
336 cat stdout >> output
337 AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit modification of table \"other_colors\".","error":"permission error"}]]
338 ], [ignore])
339
340 # Test 13:
341 # Attempt to delete a row from the "other_colors" table. This should fail
342 # the RBAC authorization test because "client-2" does not match the
343 # "creator" column for this row.
344 AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
345 --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
346 --certificate=$RBAC_PKIDIR/client-2-cert.pem \
347 --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
348 ['["mydb",
349 {"op": "delete",
350 "table": "other_colors",
351 "where": [["name", "==", "seafoam"]]}
352 ]']], [0], [stdout], [ignore])
353 cat stdout >> output
354 AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit row deletion from table \"other_colors\".","error":"permission error"}]]
355 ], [ignore])
356
357 # Test 14:
358 # Attempt to delete a row from the "other_colors" table. This should pass
359 # the RBAC authorization test because "client-1" does matches the
360 # "creator" column for this row.
361 AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
362 --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
363 --certificate=$RBAC_PKIDIR/client-1-cert.pem \
364 --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
365 ['["mydb",
366 {"op": "delete",
367 "table": "other_colors",
368 "where": [["name", "==", "seafoam"]]}
369 ]']], [0], [stdout], [ignore])
370 cat stdout >> output
371 AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"count":1}]]
372 ], [ignore])
373
374 OVSDB_SERVER_SHUTDOWN
375 AT_CLEANUP