From bcc57af2383ba1ba4d0105fe74491aa80158c443 Mon Sep 17 00:00:00 2001 From: Ilya Baldin Date: Tue, 20 Dec 2022 17:07:02 -0500 Subject: [PATCH 1/2] Adding more facility port tests (dynamic) --- README.md | 2 +- test/test-harness.py | 94 +++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 93 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c5e26b5..6677090 100644 --- a/README.md +++ b/README.md @@ -233,7 +233,7 @@ curl --include --header "Content-Type: application/xacml+json" --data @policies/ ## Using a test harness -Make sure that `./authzforce-ce-core-pdp-cli-X.Y.Z.jar ` is present under `authzforce/` directory. Update `test/test-harness.py` appropriately, then run: +Make sure that `./authzforce-ce-core-pdp-cli-X.Y.Z.jar ` is present under `authzforce/` directory. Update `test/test-harness.py` appropriately, be sure to use a virtenv that has the latest (or appropriate) version of fabric-fim library, then run: ``` $ cd test/ $ pytest test-harness.py diff --git a/test/test-harness.py b/test/test-harness.py index 2d76978..b587b6a 100644 --- a/test/test-harness.py +++ b/test/test-harness.py @@ -479,7 +479,7 @@ def testFABNetv4ExtOK(self) -> None: def testFABNetv4ExtFail(self) -> None: """ - Test that adding FABNetv4 with proper tag works + Test that adding FABNetv4 with proper tag fails """ t = fu.ExperimentTopology() n1 = t.add_node(name='n1', site='RENC', capacities=fu.Capacities(core=1, ram=10, disk=25)) @@ -555,7 +555,7 @@ def testFABNetv6ExtOK(self) -> None: def testFABNetv6ExtFail(self) -> None: """ - Test that adding FABNetv4 with proper tag works + Test that adding FABNetv4 with proper tag fails """ t = fu.ExperimentTopology() n1 = t.add_node(name='n1', site='RENC', capacities=fu.Capacities(core=1, ram=10, disk=25)) @@ -588,4 +588,94 @@ def testFABNetv6ExtFail(self) -> None: authz.set_resource_subject_and_project(subject_id='user@google.com', project='MyProject') print(f"FABNetv4ExtFail: {authz.transform_to_pdp_request()}") + self.runOnStringRequest(authz.transform_to_pdp_request(), TAGPDP, 'Deny') + + def testFacilityOK(self) -> None: + + """ + Test that adding FABNetv4 with proper tag works + """ + t = fu.ExperimentTopology() + n1 = t.add_node(name='n1', site='RENC', capacities=fu.Capacities(core=1, ram=10, disk=25)) + c1 = n1.add_component(name='c1', model_type=fu.ComponentModelType.SmartNIC_ConnectX_6) + c2 = n1.add_component(name='c2', model_type=fu.ComponentModelType.SharedNIC_ConnectX_6) + n1.add_component(name='c3', model_type=fu.ComponentModelType.NVME_P4510) + n2 = t.add_node(name='n2', site='UKY', capacities=fu.Capacities(core=10, ram=10, disk=35)) + c4 = n2.add_component(name='c4', model_type=fu.ComponentModelType.SmartNIC_ConnectX_5) + s1 = t.add_network_service(name='s1', nstype=fu.ServiceType.FABNetv6Ext, + interfaces=[c1.interface_list[0]]) + s2 = t.add_network_service(name='s2', nstype=fu.ServiceType.FABNetv6Ext, + interfaces=[c4.interface_list[0]]) + + fac1 = t.add_facility(name='RENCI-DTN', site='RENC', capacities=fu.Capacities(bw=10), + labels=fu.Labels(vlan='100')) + # facility needs to be connected via a service to something else + sfac = t.add_network_service(name='s-fac', nstype=fu.ServiceType.L2STS, + interfaces=[fac1.interface_list[0], + c1.interface_list[1]]) + # this sets site property on fabnet, which is a must + t.validate() + + authz = ResourceAuthZAttributes() + + now = datetime.datetime.now(datetime.timezone.utc) + delta = datetime.timedelta(days=13, hours=11, minutes=7, seconds=4, milliseconds=10) + future = now + delta + + authz.collect_resource_attributes(source=t) + authz.set_action('create') + authz.set_lifetime(future) + authz.set_subject_attributes(subject_id='user@google.com', project='MyProject', project_tag=[ + 'VM.NoLimit', + 'Component.SmartNIC', 'Component.NVME', 'Net.FABNetv6Ext', + 'Slice.Multisite', 'Net.FacilityPort.RENCI-DTN' + ]) + authz.set_resource_subject_and_project(subject_id='user@google.com', project='MyProject') + + print(f"FacilityOK: {authz.transform_to_pdp_request()}") + self.runOnStringRequest(authz.transform_to_pdp_request(), TAGPDP) + + def testFacilityFail(self) -> None: + + """ + Test that adding Facility with proper tag fails + """ + t = fu.ExperimentTopology() + n1 = t.add_node(name='n1', site='RENC', capacities=fu.Capacities(core=1, ram=10, disk=25)) + c1 = n1.add_component(name='c1', model_type=fu.ComponentModelType.SmartNIC_ConnectX_6) + c2 = n1.add_component(name='c2', model_type=fu.ComponentModelType.SharedNIC_ConnectX_6) + n1.add_component(name='c3', model_type=fu.ComponentModelType.NVME_P4510) + n2 = t.add_node(name='n2', site='UKY', capacities=fu.Capacities(core=10, ram=10, disk=35)) + c4 = n2.add_component(name='c4', model_type=fu.ComponentModelType.SmartNIC_ConnectX_5) + s1 = t.add_network_service(name='s1', nstype=fu.ServiceType.FABNetv6Ext, + interfaces=[c1.interface_list[0]]) + s2 = t.add_network_service(name='s2', nstype=fu.ServiceType.FABNetv6Ext, + interfaces=[c4.interface_list[0]]) + + fac1 = t.add_facility(name='RENCI-DTN', site='RENC', capacities=fu.Capacities(bw=10), + labels=fu.Labels(vlan='100')) + # facility needs to be connected via a service to something else + sfac = t.add_network_service(name='s-fac', nstype=fu.ServiceType.L2STS, + interfaces=[fac1.interface_list[0], + c1.interface_list[1]]) + # this sets site property on fabnet, which is a must + t.validate() + + authz = ResourceAuthZAttributes() + + now = datetime.datetime.now(datetime.timezone.utc) + delta = datetime.timedelta(days=13, hours=11, minutes=7, seconds=4, milliseconds=10) + future = now + delta + + authz.collect_resource_attributes(source=t) + authz.set_action('create') + authz.set_lifetime(future) + authz.set_subject_attributes(subject_id='user@google.com', project='MyProject', project_tag=[ + 'VM.NoLimit', + 'Component.SmartNIC', 'Component.NVME', 'Net.FABNetv6Ext', + 'Slice.Multisite' + ]) + authz.set_resource_subject_and_project(subject_id='user@google.com', project='MyProject') + + print(f"FacilityFail: {authz.transform_to_pdp_request()}") self.runOnStringRequest(authz.transform_to_pdp_request(), TAGPDP, 'Deny') \ No newline at end of file From 5a022e4520d6b74742746d8ca7b0c6a1883ffb81 Mon Sep 17 00:00:00 2001 From: Ilya Baldin Date: Tue, 20 Dec 2022 17:33:29 -0500 Subject: [PATCH 2/2] Fixed a bug in testing for facility ports to make sure ALL facilities in a slice match one of the project tags; added test cases --- .../orchestrator-project-tags.alfa | 4 ++-- src-gen/fabricTags.OrchestratorTags.xml | 2 +- test/test-harness.py | 10 ++++++++-- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa b/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa index 7cd4100..db628f0 100644 --- a/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa +++ b/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa @@ -197,10 +197,10 @@ namespace fabricTags { } rule withFacilityPorts { deny - condition stringBagSize(Attributes.resourceFacilityPort) > 0 && not(map(function[stringConcatenate], "Net.FacilityPort.", Attributes.resourceFacilityPort) == Attributes.projectTag) + condition stringBagSize(Attributes.resourceFacilityPort) > 0 && not(allOfAny(function[stringEqual], map(function[stringConcatenate], "Net.FacilityPort.", Attributes.resourceFacilityPort), Attributes.projectTag)) on deny { advice reasonToDeny { - Attributes.message = "Policy Violation: Your project is lacking Net.FacilityPort. tag to request a slice with facility ports." + Attributes.message = "Policy Violation: Your project is lacking Net.FacilityPort. tag to request a connection to one or more of the facilities." } } } diff --git a/src-gen/fabricTags.OrchestratorTags.xml b/src-gen/fabricTags.OrchestratorTags.xml index 11d4cde..a6171c3 100644 --- a/src-gen/fabricTags.OrchestratorTags.xml +++ b/src-gen/fabricTags.OrchestratorTags.xml @@ -1 +1 @@ -http://www.w3.org/TR/1999/REC-xpath-19991116http://www.w3.org/TR/1999/REC-xpath-19991116createhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliver2VM.NoLimitCPUPolicy Violation: Your project is lacking VM.NoLimitCPU or VM.NoLimit tag to provision VM with more than 2 cores.Policy Violation: Policy returned deny for an unknown reason. This is an internal error.10VM.NoLimitDiskPolicy Violation: Your project is lacking VM.NoLimitDisk or VM.NoLimit tag to provision VM with disk over 10GB.10VM.NoLimitRAMPolicy Violation: Your project is lacking VM.NoLimitRAM or VM.NoLimit tag to provision VM with more than 10GB of RAM.http://www.w3.org/TR/1999/REC-xpath-19991116sliver21010VM.NoLimithttp://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverGPUComponent.GPUPolicy Violation: Your project is lacking Component.GPU tag to provision a VM with GPU.SmartNICComponent.SmartNICPolicy Violation: Your project is lacking Component.SmartNIC tag to provision a VM with SmartNIC.StorageComponent.StoragePolicy Violation: Your project is lacking Component.Storage tag to provision a VM with attached storage.FPGAComponent.FPGAPolicy Violation: Your project is lacking Component.FPGA tag to provision a VM with FPGA.NVMEComponent.NVMEPolicy Violation: Your project is lacking Component.NVME tag to provision a VM with NVME.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliver0Net.FABNetv4ExtPolicy Violation: Your project is lacking Net.FABNetv4Ext tag to request a slice with external IPv4 connectivity.0Net.FABNetv6ExtPolicy Violation: Your project is lacking Net.FABNetv6Ext tag to request a slice with external IPv6 connectivity.0Net.PortMirroringPolicy Violation: Your project is lacking Net.PortMirroring tag to request a slice that uses port mirroring.1Slice.MultisitePolicy Violation: Your project is lacking Slice.Multisite tag to request a slice spanning multiple sites.10Net.NoLimitBWPolicy Violation: Your project is lacking Net.NoLimitBW tag to request links with bandwidth over 10Gbps.0Net.FacilityPort.Policy Violation: Your project is lacking Net.FacilityPort.<facility-port-name> tag to request a slice with facility ports.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116slivertrueSlice.MeasurementsPolicy Violation: Your project is lacking Slice.Measurements tag to request measurement resources.P14DT5MSlice.NoLimitLifetimePolicy Violation: Your project is lacking Slice.NoLimitLifetime tag so you cannot request resource lifetime longer than two weeks.http://www.w3.org/TR/1999/REC-xpath-19991116modifyhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and not the member of the same project so you cannot modify it.http://www.w3.org/TR/1999/REC-xpath-19991116deletehttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and cannot delete it.http://www.w3.org/TR/1999/REC-xpath-19991116renewhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and not the member of the same project so you cannot renew it.http://www.w3.org/TR/1999/REC-xpath-19991116sliverP14DT5MSlice.NoLimitLifetimePolicy Violation: Your project is lacking Slice.NoLimitLifetime tag so you cannot renew resource lifetime by longer than two weeks.http://www.w3.org/TR/1999/REC-xpath-19991116querystatusredeemPOAdemandupdatecloseclaimreclaimticketextendrelinquishhttp://www.w3.org/TR/1999/REC-xpath-19991116querystatusredeemPOAdemandupdatecloseclaimreclaimticketextendrelinquish \ No newline at end of file +http://www.w3.org/TR/1999/REC-xpath-19991116http://www.w3.org/TR/1999/REC-xpath-19991116createhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliver2VM.NoLimitCPUPolicy Violation: Your project is lacking VM.NoLimitCPU or VM.NoLimit tag to provision VM with more than 2 cores.Policy Violation: Policy returned deny for an unknown reason. This is an internal error.10VM.NoLimitDiskPolicy Violation: Your project is lacking VM.NoLimitDisk or VM.NoLimit tag to provision VM with disk over 10GB.10VM.NoLimitRAMPolicy Violation: Your project is lacking VM.NoLimitRAM or VM.NoLimit tag to provision VM with more than 10GB of RAM.http://www.w3.org/TR/1999/REC-xpath-19991116sliver21010VM.NoLimithttp://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverGPUComponent.GPUPolicy Violation: Your project is lacking Component.GPU tag to provision a VM with GPU.SmartNICComponent.SmartNICPolicy Violation: Your project is lacking Component.SmartNIC tag to provision a VM with SmartNIC.StorageComponent.StoragePolicy Violation: Your project is lacking Component.Storage tag to provision a VM with attached storage.FPGAComponent.FPGAPolicy Violation: Your project is lacking Component.FPGA tag to provision a VM with FPGA.NVMEComponent.NVMEPolicy Violation: Your project is lacking Component.NVME tag to provision a VM with NVME.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliver0Net.FABNetv4ExtPolicy Violation: Your project is lacking Net.FABNetv4Ext tag to request a slice with external IPv4 connectivity.0Net.FABNetv6ExtPolicy Violation: Your project is lacking Net.FABNetv6Ext tag to request a slice with external IPv6 connectivity.0Net.PortMirroringPolicy Violation: Your project is lacking Net.PortMirroring tag to request a slice that uses port mirroring.1Slice.MultisitePolicy Violation: Your project is lacking Slice.Multisite tag to request a slice spanning multiple sites.10Net.NoLimitBWPolicy Violation: Your project is lacking Net.NoLimitBW tag to request links with bandwidth over 10Gbps.0Net.FacilityPort.Policy Violation: Your project is lacking Net.FacilityPort.<facility-port-name> tag to request a connection to one or more of the facilities.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116slivertrueSlice.MeasurementsPolicy Violation: Your project is lacking Slice.Measurements tag to request measurement resources.P14DT5MSlice.NoLimitLifetimePolicy Violation: Your project is lacking Slice.NoLimitLifetime tag so you cannot request resource lifetime longer than two weeks.http://www.w3.org/TR/1999/REC-xpath-19991116modifyhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and not the member of the same project so you cannot modify it.http://www.w3.org/TR/1999/REC-xpath-19991116deletehttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and cannot delete it.http://www.w3.org/TR/1999/REC-xpath-19991116renewhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and not the member of the same project so you cannot renew it.http://www.w3.org/TR/1999/REC-xpath-19991116sliverP14DT5MSlice.NoLimitLifetimePolicy Violation: Your project is lacking Slice.NoLimitLifetime tag so you cannot renew resource lifetime by longer than two weeks.http://www.w3.org/TR/1999/REC-xpath-19991116querystatusredeemPOAdemandupdatecloseclaimreclaimticketextendrelinquishhttp://www.w3.org/TR/1999/REC-xpath-19991116querystatusredeemPOAdemandupdatecloseclaimreclaimticketextendrelinquish \ No newline at end of file diff --git a/test/test-harness.py b/test/test-harness.py index b587b6a..09a0ce0 100644 --- a/test/test-harness.py +++ b/test/test-harness.py @@ -607,11 +607,17 @@ def testFacilityOK(self) -> None: s2 = t.add_network_service(name='s2', nstype=fu.ServiceType.FABNetv6Ext, interfaces=[c4.interface_list[0]]) - fac1 = t.add_facility(name='RENCI-DTN', site='RENC', capacities=fu.Capacities(bw=10), + fac1 = t.add_facility(name='UKY-DTN', site='UKY', capacities=fu.Capacities(bw=10), labels=fu.Labels(vlan='100')) # facility needs to be connected via a service to something else sfac = t.add_network_service(name='s-fac', nstype=fu.ServiceType.L2STS, interfaces=[fac1.interface_list[0], + c4.interface_list[1]]) + fac2 = t.add_facility(name='RENCI-DTN', site='RENC', capacities=fu.Capacities(bw=10), + labels=fu.Labels(vlan='100')) + # facility needs to be connected via a service to something else + sfac = t.add_network_service(name='s-fac1', nstype=fu.ServiceType.L2STS, + interfaces=[fac2.interface_list[0], c1.interface_list[1]]) # this sets site property on fabnet, which is a must t.validate() @@ -628,7 +634,7 @@ def testFacilityOK(self) -> None: authz.set_subject_attributes(subject_id='user@google.com', project='MyProject', project_tag=[ 'VM.NoLimit', 'Component.SmartNIC', 'Component.NVME', 'Net.FABNetv6Ext', - 'Slice.Multisite', 'Net.FacilityPort.RENCI-DTN' + 'Slice.Multisite', 'Net.FacilityPort.RENCI-DTN', 'Net.FacilityPort.UKY-DTN' ]) authz.set_resource_subject_and_project(subject_id='user@google.com', project='MyProject')