forked from keylime/keylime
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtest_authorization.py
More file actions
603 lines (520 loc) · 21.8 KB
/
Copy pathtest_authorization.py
File metadata and controls
603 lines (520 loc) · 21.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
"""Unit tests for the authorization framework.
Tests cover:
- SimpleAuthProvider authorization logic
- Action enum and categorization
- AuthorizationManager provider loading
- Identity extraction and authentication separation
"""
import unittest
from unittest.mock import MagicMock
import keylime.authorization.manager as manager_module
from keylime.authorization.manager import AuthorizationManager
from keylime.authorization.provider import Action, AuthorizationRequest
from keylime.authorization.providers.simple import SimpleAuthProvider
from keylime.web.base.controller import Controller
from keylime.web.base.route import Route
class TestSimpleAuthProvider(unittest.TestCase):
"""Test SimpleAuthProvider authorization logic."""
def setUp(self):
"""Create a SimpleAuthProvider instance for testing."""
self.provider = SimpleAuthProvider({})
def test_provider_name(self):
"""Test provider returns correct name."""
self.assertEqual(self.provider.get_name(), "simple")
def test_health_check(self):
"""Test provider health check returns True."""
self.assertTrue(self.provider.health_check())
# PUBLIC actions tests
def test_public_action_read_version_anonymous(self):
"""Test anonymous user can read version (public action)."""
request = AuthorizationRequest(
identity="anonymous",
identity_type="anonymous",
action=Action.READ_VERSION,
resource=None,
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_public_action_read_server_info_anonymous(self):
"""Test anonymous user can read server info (public action)."""
request = AuthorizationRequest(
identity="anonymous",
identity_type="anonymous",
action=Action.READ_SERVER_INFO,
resource=None,
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_public_action_create_session_anonymous(self):
"""Test anonymous user can create session (public action)."""
request = AuthorizationRequest(
identity="anonymous",
identity_type="anonymous",
action=Action.CREATE_SESSION,
resource=None,
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_public_action_verify_identity_anonymous(self):
"""Test anonymous user can verify identity (public action)."""
request = AuthorizationRequest(
identity="anonymous",
identity_type="anonymous",
action=Action.VERIFY_IDENTITY,
resource=None,
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_public_action_verify_evidence_anonymous(self):
"""Test anonymous user can verify evidence (public action)."""
request = AuthorizationRequest(
identity="anonymous",
identity_type="anonymous",
action=Action.VERIFY_EVIDENCE,
resource=None,
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_public_action_allowed_for_agent(self):
"""Test agent can access public actions."""
request = AuthorizationRequest(
identity="agent-123",
identity_type="agent",
action=Action.READ_VERSION,
resource=None,
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_public_action_allowed_for_admin(self):
"""Test admin can access public actions."""
request = AuthorizationRequest(
identity="admin-cn",
identity_type="admin",
action=Action.READ_VERSION,
resource=None,
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
# Registrar PUBLIC actions tests
def test_public_action_register_agent_anonymous(self):
"""Test anonymous can register agent (registrar public action)."""
request = AuthorizationRequest(
identity="anonymous",
identity_type="anonymous",
action=Action.REGISTER_AGENT,
resource="agent-123",
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_public_action_activate_agent_anonymous(self):
"""Test anonymous can activate agent (registrar public action)."""
request = AuthorizationRequest(
identity="anonymous",
identity_type="anonymous",
action=Action.ACTIVATE_AGENT,
resource="agent-123",
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
# Registrar ADMIN actions tests
def test_admin_action_list_registrations(self):
"""Test admin can list registrations."""
request = AuthorizationRequest(
identity="admin-cn",
identity_type="admin",
action=Action.LIST_REGISTRATIONS,
resource=None,
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_admin_action_read_registration(self):
"""Test admin can read registration."""
request = AuthorizationRequest(
identity="admin-cn",
identity_type="admin",
action=Action.READ_REGISTRATION,
resource="agent-123",
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_admin_action_delete_registration(self):
"""Test admin can delete registration."""
request = AuthorizationRequest(
identity="admin-cn",
identity_type="admin",
action=Action.DELETE_REGISTRATION,
resource="agent-123",
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_anonymous_cannot_list_registrations(self):
"""Test anonymous cannot list registrations (admin action)."""
request = AuthorizationRequest(
identity="anonymous",
identity_type="anonymous",
action=Action.LIST_REGISTRATIONS,
resource=None,
)
response = self.provider.authorize(request)
self.assertFalse(response.allowed)
def test_anonymous_cannot_delete_registration(self):
"""Test anonymous cannot delete registration (admin action)."""
request = AuthorizationRequest(
identity="anonymous",
identity_type="anonymous",
action=Action.DELETE_REGISTRATION,
resource="agent-123",
)
response = self.provider.authorize(request)
self.assertFalse(response.allowed)
# AGENT actions tests
def test_agent_action_submit_attestation_own_resource(self):
"""Test agent can submit attestation for own resource."""
request = AuthorizationRequest(
identity="agent-123",
identity_type="agent",
action=Action.SUBMIT_ATTESTATION,
resource="agent-123",
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_agent_action_submit_attestation_other_resource_denied(self):
"""Test agent cannot submit attestation for other agent's resource."""
request = AuthorizationRequest(
identity="agent-123",
identity_type="agent",
action=Action.SUBMIT_ATTESTATION,
resource="agent-456",
)
response = self.provider.authorize(request)
self.assertFalse(response.allowed)
def test_agent_action_read_agent_own_resource(self):
"""Test agent can read own status."""
request = AuthorizationRequest(
identity="agent-123",
identity_type="agent",
action=Action.READ_AGENT,
resource="agent-123",
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_agent_action_read_agent_other_resource_denied(self):
"""Test agent cannot read other agent's status."""
request = AuthorizationRequest(
identity="agent-123",
identity_type="agent",
action=Action.READ_AGENT,
resource="agent-456",
)
response = self.provider.authorize(request)
self.assertFalse(response.allowed)
def test_public_action_extend_session(self):
"""Test extend session is public (session controller validates PoP/token internally)."""
# Anonymous can trigger extend session - the session controller validates internally
request = AuthorizationRequest(
identity="anonymous",
identity_type="anonymous",
action=Action.EXTEND_SESSION,
resource="session-123",
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_agent_action_denied_for_admin(self):
"""Test admin cannot access agent actions (strict separation)."""
request = AuthorizationRequest(
identity="admin-cn",
identity_type="admin",
action=Action.SUBMIT_ATTESTATION,
resource="agent-123",
)
response = self.provider.authorize(request)
self.assertFalse(response.allowed)
def test_agent_action_denied_for_anonymous(self):
"""Test anonymous cannot access agent actions."""
request = AuthorizationRequest(
identity="anonymous",
identity_type="anonymous",
action=Action.SUBMIT_ATTESTATION,
resource="agent-123",
)
response = self.provider.authorize(request)
self.assertFalse(response.allowed)
# ADMIN actions tests
def test_admin_action_create_agent(self):
"""Test admin can create agent."""
request = AuthorizationRequest(
identity="admin-cn",
identity_type="admin",
action=Action.CREATE_AGENT,
resource=None,
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_admin_action_delete_agent(self):
"""Test admin can delete agent."""
request = AuthorizationRequest(
identity="admin-cn",
identity_type="admin",
action=Action.DELETE_AGENT,
resource="agent-123",
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_admin_action_list_agents(self):
"""Test admin can list agents."""
request = AuthorizationRequest(
identity="admin-cn",
identity_type="admin",
action=Action.LIST_AGENTS,
resource=None,
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_admin_action_create_runtime_policy(self):
"""Test admin can create runtime policy."""
request = AuthorizationRequest(
identity="admin-cn",
identity_type="admin",
action=Action.CREATE_RUNTIME_POLICY,
resource=None,
)
response = self.provider.authorize(request)
self.assertTrue(response.allowed)
def test_admin_action_denied_for_agent(self):
"""Test agent cannot access admin actions."""
request = AuthorizationRequest(
identity="agent-123",
identity_type="agent",
action=Action.CREATE_AGENT,
resource=None,
)
response = self.provider.authorize(request)
self.assertFalse(response.allowed)
def test_admin_action_denied_for_anonymous(self):
"""Test anonymous cannot access admin actions."""
request = AuthorizationRequest(
identity="anonymous",
identity_type="anonymous",
action=Action.CREATE_AGENT,
resource=None,
)
response = self.provider.authorize(request)
self.assertFalse(response.allowed)
class TestAuthorizationCategories(unittest.TestCase):
"""Test that actions are correctly categorized."""
def setUp(self):
"""Create a SimpleAuthProvider instance for testing."""
self.provider = SimpleAuthProvider({})
def test_public_actions_set(self):
"""Verify PUBLIC_ACTIONS contains expected actions."""
expected_public = {
# Verifier public actions
Action.READ_VERSION,
Action.READ_SERVER_INFO,
Action.VERIFY_IDENTITY,
Action.VERIFY_EVIDENCE,
Action.CREATE_SESSION,
Action.EXTEND_SESSION, # Session controller validates PoP/token internally
# Registrar public actions (agent self-registration)
Action.REGISTER_AGENT,
Action.ACTIVATE_AGENT,
}
self.assertEqual(self.provider.PUBLIC_ACTIONS, expected_public)
def test_agent_only_actions_set(self):
"""Verify AGENT_ONLY_ACTIONS contains expected actions."""
expected_agent_only = {
Action.SUBMIT_ATTESTATION,
}
self.assertEqual(self.provider.AGENT_ONLY_ACTIONS, expected_agent_only)
def test_agent_or_admin_actions_set(self):
"""Verify AGENT_OR_ADMIN_ACTIONS contains expected actions."""
expected_agent_or_admin = {
Action.READ_AGENT,
}
self.assertEqual(self.provider.AGENT_OR_ADMIN_ACTIONS, expected_agent_or_admin)
def test_admin_actions_are_remainder(self):
"""Verify admin actions are all actions not in PUBLIC, AGENT_ONLY, or AGENT_OR_ADMIN."""
all_actions = set(Action)
non_admin = (
self.provider.PUBLIC_ACTIONS | self.provider.AGENT_ONLY_ACTIONS | self.provider.AGENT_OR_ADMIN_ACTIONS
)
admin_actions = all_actions - non_admin
# Verify some expected admin actions (verifier)
self.assertIn(Action.CREATE_AGENT, admin_actions)
self.assertIn(Action.DELETE_AGENT, admin_actions)
self.assertIn(Action.LIST_AGENTS, admin_actions)
self.assertIn(Action.CREATE_RUNTIME_POLICY, admin_actions)
self.assertIn(Action.CREATE_MB_POLICY, admin_actions)
# Verify registrar admin actions
self.assertIn(Action.LIST_REGISTRATIONS, admin_actions)
self.assertIn(Action.READ_REGISTRATION, admin_actions)
self.assertIn(Action.DELETE_REGISTRATION, admin_actions)
class TestAuthorizationSecurityModel(unittest.TestCase):
"""Test security model enforcement."""
def setUp(self):
"""Create a SimpleAuthProvider instance for testing."""
self.provider = SimpleAuthProvider({})
def test_admin_cannot_access_agent_only_endpoints(self):
"""Test that admin identity_type cannot access agent-only actions.
This ensures strict separation - admins cannot submit attestations,
which are reserved for agents only.
"""
agent_only_actions = [
Action.SUBMIT_ATTESTATION,
]
for action in agent_only_actions:
request = AuthorizationRequest(
identity="admin-cn",
identity_type="admin",
action=action,
resource="agent-123",
)
response = self.provider.authorize(request)
self.assertFalse(
response.allowed,
f"Admin should NOT be allowed to access agent-only action {action.value}",
)
def test_admin_can_access_agent_or_admin_endpoints(self):
"""Test that admin identity_type can access agent-or-admin actions.
Actions like READ_AGENT should be accessible to both agents (for their own
resources) and admins (for any resource).
"""
agent_or_admin_actions = [
Action.READ_AGENT,
]
for action in agent_or_admin_actions:
request = AuthorizationRequest(
identity="admin-cn",
identity_type="admin",
action=action,
resource="agent-123",
)
response = self.provider.authorize(request)
self.assertTrue(
response.allowed,
f"Admin should be allowed to access agent-or-admin action {action.value}",
)
def test_agent_cannot_access_admin_endpoints(self):
"""Test that agent identity_type cannot access admin actions.
This ensures agents with PoP tokens cannot perform admin operations.
"""
admin_actions = [
# Verifier admin actions
Action.CREATE_AGENT,
Action.DELETE_AGENT,
Action.UPDATE_AGENT,
Action.LIST_AGENTS,
Action.CREATE_RUNTIME_POLICY,
Action.DELETE_RUNTIME_POLICY,
# Registrar admin actions
Action.LIST_REGISTRATIONS,
Action.READ_REGISTRATION,
Action.DELETE_REGISTRATION,
]
for action in admin_actions:
request = AuthorizationRequest(
identity="agent-123",
identity_type="agent",
action=action,
resource=None,
)
response = self.provider.authorize(request)
self.assertFalse(
response.allowed,
f"Agent should NOT be allowed to access admin action {action.value}",
)
def test_expired_token_becomes_anonymous_denied(self):
"""Test that expired token (anonymous) cannot access protected endpoints.
When a bearer token is invalid/expired, the identity_type becomes
"anonymous" and should be denied for non-public actions.
"""
request = AuthorizationRequest(
identity="anonymous",
identity_type="anonymous",
action=Action.CREATE_AGENT,
resource=None,
)
response = self.provider.authorize(request)
self.assertFalse(response.allowed)
def test_resource_ownership_required_for_agent(self):
"""Test that agents can only access their own resources."""
request = AuthorizationRequest(
identity="agent-123",
identity_type="agent",
action=Action.SUBMIT_ATTESTATION,
resource="agent-456", # Different from identity
)
response = self.provider.authorize(request)
self.assertFalse(response.allowed)
self.assertIn("ownership", response.reason.lower())
class TestAuthorizationManager(unittest.TestCase):
"""Test AuthorizationManager functionality."""
def test_manager_loads_simple_provider_by_default(self):
"""Test that manager loads simple provider by default."""
# Reset the global manager
manager_module._manager = None # pylint: disable=protected-access
manager = AuthorizationManager()
self.assertEqual(manager.get_provider_name(), "simple")
def test_manager_authorize_logs_and_returns_response(self):
"""Test that manager correctly routes authorization requests."""
manager = AuthorizationManager()
request = AuthorizationRequest(
identity="admin-cn",
identity_type="admin",
action=Action.CREATE_AGENT,
resource=None,
)
response = manager.authorize(request)
self.assertTrue(response.allowed)
def test_manager_denies_on_provider_error(self):
"""Test that manager denies access if provider raises exception."""
manager = AuthorizationManager()
# Mock the provider to raise an exception
assert manager._provider is not None # pylint: disable=protected-access
original_authorize = manager._provider.authorize # pylint: disable=protected-access
manager._provider.authorize = MagicMock(side_effect=Exception("Test error")) # type: ignore[assignment] # pylint: disable=protected-access
request = AuthorizationRequest(
identity="admin-cn",
identity_type="admin",
action=Action.CREATE_AGENT,
resource=None,
)
response = manager.authorize(request)
# Should deny on error (fail-safe)
self.assertFalse(response.allowed)
self.assertIn("error", response.reason.lower())
# Restore original
manager._provider.authorize = original_authorize # type: ignore[assignment] # pylint: disable=protected-access
class TestRouteAuthAction(unittest.TestCase):
"""Test that Route class correctly stores and returns auth_action metadata."""
def test_route_stores_auth_action(self):
"""Test that Route correctly stores auth_action parameter."""
class TestController(Controller):
def index(self):
pass
route = Route("get", "/agents", TestController, "index", auth_action=Action.LIST_AGENTS)
self.assertEqual(route.auth_action, Action.LIST_AGENTS)
def test_route_auth_action_defaults_to_none(self):
"""Test that Route auth_action defaults to None when not specified."""
class TestController(Controller):
def index(self):
pass
route = Route("get", "/test", TestController, "index")
self.assertIsNone(route.auth_action)
def test_route_with_requires_auth_and_auth_action(self):
"""Test that Route correctly stores both requires_auth and auth_action."""
class TestController(Controller):
def delete(self):
pass
route = Route(
"delete",
"/agents/:agent_id",
TestController,
"delete",
requires_auth=True,
auth_action=Action.DELETE_AGENT,
)
self.assertTrue(route.requires_auth)
self.assertEqual(route.auth_action, Action.DELETE_AGENT)
if __name__ == "__main__":
unittest.main()