ia64/xen-unstable

view tools/xm-test/tests/security-acm/10_security-acm_pol_update.py @ 17961:d90c5e8d4ac2

xm-test: Remove a policy reset from acm test case

Remove the resetting of the policy from this point in the test case
since the new default policy has the '__UNLABELED__' label, which is
not expected in subsequent checks.

Signed-off-by; Stefan Berger <stefanb@us.ibm.com>
author Keir Fraser <keir.fraser@citrix.com>
date Thu Jul 03 11:32:10 2008 +0100 (2008-07-03)
parents 35f4f285762f
children
line source
1 #!/usr/bin/python
3 # Copyright (C) International Business Machines Corp., 2006
4 # Author: Stefan Berger <stefanb@us.ibm.com>
5 #
7 import os
8 import re
9 import commands
10 from XmTestLib import *
11 import xen.util.xsm.xsm as security
12 from xen.util import xsconstants
14 def checkLabel(labeldata, expected, domname):
15 if labeldata[0] != expected[0]:
16 FAIL("Policy type of %s is bad: %s" % (domname, labeldata[0]))
17 if labeldata[1] != expected[1]:
18 FAIL("Unexpected policy indicated in %s label '%s', expected '%s'." %
19 (domname, labeldata[1], expected[1]))
20 if labeldata[2] != expected[2]:
21 FAIL("%s does not have '%s' label but '%s'." %
22 (domname, expected[2], labeldata[2]))
24 if not isACMEnabled():
25 SKIP("Not running this test since ACM not enabled.")
27 testpolicy = "xm-test"
28 testlabel1 = "blue"
29 testlabel2 = "red"
30 testlabel3 = "green"
32 # reset the policy - must work
33 s, o = traceCommand('xm resetpolicy')
34 if s:
35 FAIL("Could not reset the policy.")
38 s, o = traceCommand('xm resources | grep -E "^[phy|file|vlan]" ')
39 resnames = []
40 if o:
41 resnames = o.split('\n')
43 for res in resnames:
44 s, o = traceCommand('xm rmlabel res %s' % res)
46 #Unlabeled domain must not start under xm-test policy
47 domain_ul = XmTestDomain(name='domain-unlabeled',
48 extraConfig=None)
49 del domain_ul.config.opts['access_control']
50 try:
51 domain_ul.start(noConsole=True)
52 FAIL("Could start unlabeled domain.")
53 except DomainError, e:
54 domain_ul.destroy() # delete if xend-managed domain
57 config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel1)}
59 domain_blue = XmTestDomain(name='domain-%s' % testlabel1,
60 extraConfig=config)
62 config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel3)}
64 domain_green = XmTestDomain(name='domain-%s' % testlabel3,
65 extraConfig=config)
68 try:
69 domain_blue.start(noConsole=True)
70 except DomainError, e:
71 if verbose:
72 print e.extra
73 FAIL("Unable to start blue labeled test domain")
75 s, o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
76 if s:
77 FAIL("Could not get the label of Domain-0")
79 info = o.strip().split(' ')
80 labeldata = info[-1].split(':')
81 if len(labeldata) != 3:
82 FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
83 checkLabel(labeldata,
84 [xsconstants.ACM_POLICY_ID, "xm-test", "SystemManagement"],
85 "Domain-0")
87 # Should be able to set the Domain-0 label to blue
88 s, o = traceCommand('xm addlabel blue mgt Domain-0')
89 if s:
90 FAIL("Could not set the label of Domain-0 to 'blue'.")
91 s,o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
92 if s:
93 FAIL("Could not get the label of Domain-0")
95 info = o.strip().split()
96 labeldata = info[-1].split(':')
97 if len(labeldata) != 3:
98 FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
99 checkLabel(labeldata,
100 [xsconstants.ACM_POLICY_ID, "xm-test", "blue"],
101 "Domain-0")
103 #Should not be able to set the label of Domain-0 to 'red'
104 s, o = traceCommand('xm addlabel red mgt Domain-0')
105 if not s:
106 FAIL("Could set the label of Domain-0 to 'red'.")
107 s,o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
108 if s:
109 FAIL("Could not get the label of Domain-0")
111 info = o.strip().split()
112 labeldata = info[-1].split(':')
113 if len(labeldata) != 3:
114 FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
115 checkLabel(labeldata,
116 [xsconstants.ACM_POLICY_ID, "xm-test", "blue"],
117 "Domain-0")
119 # Should be able to set the label of Domain-0 to 'SystemManagement'
120 s, o = traceCommand('xm addlabel SystemManagement mgt Domain-0')
121 if s:
122 FAIL("Could not set the label of Domain-0 to 'SystemManagement'.")
123 s,o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
124 if s:
125 FAIL("Could not get the label of Domain-0")
127 info = o.strip().split()
128 labeldata = info[-1].split(':')
129 if len(labeldata) != 3:
130 FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
131 checkLabel(labeldata,
132 [xsconstants.ACM_POLICY_ID, "xm-test", "SystemManagement"],
133 "Domain-0")
135 #Label some resource green
136 #Label some resource red
137 #Label some resource blue
139 s, o = traceCommand('xm addlabel green res file:/tmp/green')
140 if s:
141 FAIL("Could not label resource 'green'.")
142 s, o = traceCommand('xm addlabel red res file:/tmp/red')
143 if s:
144 FAIL("Could not label resource 'red'.")
145 s, o = traceCommand('xm addlabel blue res file:/tmp/blue')
146 if s:
147 FAIL("Could not label resrouce 'blue'")
149 # Start a green domain
150 try:
151 domain_green.start(noConsole=True)
152 except DomainError, e:
153 if verbose:
154 print e.extra
155 FAIL("Unable to start green labeled test domain")
157 # Update the system's policy. Should not work, since blue Domain is running
158 s, o = traceCommand('xm setpolicy ACM xm-test-update')
159 if not s:
160 FAIL("Could set the new policy even though blue domain is running.")
162 s, o = traceCommand('xm getpolicy | grep "Policy name"')
163 info = o.split(':')
164 poldata = [i.strip() for i in info]
166 if poldata[1] != 'xm-test':
167 FAIL("Policy should be 'xm-test' but is now '%s'." % poldata[1])
169 # Check that no labels have changed
170 s, o = traceCommand('xm getlabel res file:/tmp/green')
171 if s:
172 FAIL("Could not get label for green resource.")
173 label=o.strip()
174 if label != 'ACM:xm-test:green':
175 FAIL("Label for green resource has changed to '%s', but should not have,"
176 % label)
178 s, o = traceCommand('xm getlabel res file:/tmp/red')
179 if s:
180 FAIL("Could not get label for red resource.")
181 label=o.strip()
182 if label != 'ACM:xm-test:red':
183 FAIL("Label for red resource has changed to '%s', but should not have,"
184 % label)
186 s, o = traceCommand('xm getlabel res file:/tmp/blue')
187 if s:
188 FAIL("Could not get label for blue resource.")
189 label=o.strip()
190 if label != 'ACM:xm-test:blue':
191 FAIL("Label for blue resource has changed to '%s', but should not have,"
192 % label)
194 # Terminate blue domain
195 domain_blue.destroy()
197 # Update the system's policy. Should work and rename the green domain to GREEN
198 s, o = traceCommand('xm setpolicy ACM xm-test-update')
199 if s:
200 FAIL("Could not set the new policy.")
202 acm.setCurrentPolicy('xm-test-update')
204 s, o = traceCommand('xm getpolicy | grep "Policy name"')
205 info = o.split(':')
206 poldata = [i.strip() for i in info]
208 if poldata[1] != 'xm-test-update':
209 FAIL("Policy should be 'xm-test-update' but is now '%s'." % poldata[1])
211 # check previously labeled resources
212 # - green should be GREEN now
213 # - blue should have been invalidated
214 # - red should be the same
215 s, o = traceCommand('xm getlabel res file:/tmp/green')
216 if s:
217 FAIL("Could not get label for GREEN resource.")
218 label=o.strip()
219 if label != 'ACM:xm-test-update:GREEN':
220 FAIL("Label for green resource has changed to '%s', but should not have,"
221 % label)
223 s, o = traceCommand('xm getlabel res file:/tmp/red')
224 if s:
225 FAIL("Could not get label for RED resource.")
226 label=o.strip()
227 if label != 'ACM:xm-test-update:RED':
228 FAIL("Label for RED resource has changed to '%s', expected is '%s',"
229 % (label,'ACM:xm-test-update:RED'))
231 s, o = traceCommand('xm getlabel res file:/tmp/blue')
232 if s:
233 FAIL("Could not get label for blue resource.")
234 label=o.strip()
235 if label != 'INV_ACM:xm-test:blue':
236 FAIL("Label for blue resource has changed to '%s', expected is '%s',"
237 % (label,'INV_ACM:xm-test:blue'))
239 config = {"access_control":"policy=%s,label=%s" % ('xm-test-update',testlabel2)}
241 domain_red = XmTestDomain(name='domain-%s' % testlabel2,
242 extraConfig=config)
244 # Start the red domain - should not work due to conflict set
245 try:
246 domain_red.start(noConsole=True)
247 FAIL("Could start 'red' domain.")
248 except DomainError, e:
249 domain_red.destroy() # delete if xend-managed domain
251 # Terminate GREEN domain
252 domain_green.destroy()
254 # Start the red domain - should work now
255 try:
256 domain_red.start()
257 except DomainError, e:
258 FAIL("Could not start 'red' domain.")
260 # Stop the red domain.
261 domain_red.destroy()
263 # Make Domain-0 GREEN
264 s, o = traceCommand('xm addlabel GREEN mgt Domain-0')
265 if s:
266 FAIL("Could not set Domain-0's label to 'GREEN'.")
267 s,o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
268 if s:
269 FAIL("Could not get the label of Domain-0")
271 info = o.strip().split()
272 labeldata = info[-1].split(':')
273 if len(labeldata) != 3:
274 FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
275 checkLabel(labeldata,
276 [xsconstants.ACM_POLICY_ID, "xm-test-update", "GREEN"],
277 "Domain-0")
279 # Start the red domain - should not work due to conflict set
280 try:
281 domain_red.start()
282 FAIL("Could start 'red' domain.")
283 except DomainError, e:
284 pass
286 # Set Domain-0's domain to SystemManagement
287 s, o = traceCommand('xm addlabel SystemManagement mgt Domain-0')
288 if s:
289 FAIL("Could not set Domain-0's label to SystemManagement.")
291 # Start unlabeled domain - should work
292 try:
293 domain_ul.start(noConsole=True)
294 except DomainError, e:
295 FAIL("Could not start unlabeled domain.")
297 # Stop red domain
298 domain_red.destroy()
300 # Stop unlabeled domain
301 domain_ul.destroy()
304 # Mark Domain-0 as red. This must not have any effect on the later reset
305 s, o = traceCommand('xm addlabel red mgt Domain-0')
306 if s:
307 FAIL("Could not set Domain-0's label to 'red'.")
308 s,o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
309 if s:
310 FAIL("Could not get the label of Domain-0")
312 info = o.strip().split()
313 labeldata = info[-1].split(':')
314 if len(labeldata) != 3:
315 FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
316 checkLabel(labeldata,
317 [xsconstants.ACM_POLICY_ID, "xm-test-update", "red"],
318 "Domain-0")
320 # reset the policy - should work
321 s, o = traceCommand('xm resetpolicy')
322 if s:
323 FAIL("Could not reset the policy.")
325 # check previously labeled resources
326 # - GREEN should be invalid
327 # - red should be invalid
328 # - blue should be invalid
329 s, o = traceCommand('xm getlabel res file:/tmp/green')
330 if s:
331 FAIL("Could not get label for GREEN resource.")
332 label=o.strip()
333 exp='INV_ACM:xm-test-update:GREEN'
334 if label != exp:
335 FAIL("Label for green resource has changed to '%s', but should be '%s',"
336 % (label, exp))
338 s, o = traceCommand('xm getlabel res file:/tmp/red')
339 if s:
340 FAIL("Could not get label for RED resource.")
341 label=o.strip()
342 exp='INV_ACM:xm-test-update:RED'
343 if label != exp:
344 FAIL("Label for RED resource has changed to '%s', but should be '%s'.,"
345 % (label, exp))
347 s, o = traceCommand('xm getlabel res file:/tmp/blue')
348 if s:
349 FAIL("Could not get label for blue resource.")
350 label=o.strip()
351 exp='INV_ACM:xm-test:blue'
352 if label != exp:
353 FAIL("Label for blue resource has changed to '%s', but should be '%s',"
354 % (label, exp))