All the policies, that are already created, needs to be specified to execute this verification. Then, the datas treated in each policy are stored in sets. We then check whether the sets are disjoint or not. If they are not, there will be an intersection between different sets, and respective policies. There is our Collision. Actually theres only one way to verify the Collision, that is manually. Making this verification occurs automatically, where for each new Policy created in Hapi the test is executed, it is a future project.
User X was given the task of defining Resource access:
ID, PRODUCTS, EMAIL for
In user X's system there are hundreds of defined Policies that work perfectly.
A Policy A that defines Resources:
SSN, EMAIL and
CCN already exists in the
system, expressed as follows:
data: [SSN, EMAIL, CCN] rules: - identities: users: Alice Updates: data: [CCN, EMAIL] Deletes: data: [CCN, EMAIL] - identities: users: Bob Updates: data: [CCN, EMAIL] Deletes: data: [EMAIL]
However, not knowing about the existence of such a policy, and that it already
governed what happened with Resource
data: [ID, PRODUCTS, EMAIL] rules: - identities: users: Alice Updates: data: [PRODUCTS, ID] Deletes: data: [PRODUCTS, ID] - identities: users: Bob Updates: data: [PRODUCTS, EMAIL] Deletes: data: [PRODUCTS]
As you can see, both Policies A and B define different access restrictions under
Indicating the conflicting Resource:
The verification of the Collision property occurs with multiple YAML Policy files being passed as a reference in the Verification Call.
Within the plugin, the framework reads every policy and stores all Resources (data) that are treated in each one in different Sets (One set for each Policy):
#...While there is policies... with open("fixtures/yaml/first-deny.yaml", "r") as ymlfile: #Opening the policy cfg = yaml.load(ymlfile) Policy_name_1 = set(cfg["data"]) #Getting the defined Resources
Finally, all the Sets containing the Resources that are treated in each policy, are added to a list. In this way, we obtain a list of Sets.
In the second moment, we used two Loops while, to compare all the sets stored in the List. If two sets are 'disjunct', that is, without similar elements, the loop advances to compare the next set:
while iterator < len(list_of_policiess): aux = iterator + 1 while aux < len(list_of_policiess): if not list_of_policiess[iterator].isdisjoint(list_of_policiess[aux]): overlapped_resources = list_of_policiess[iterator].intersection(list_of_policiess[iterator+1]) collision_boolean = True break aux += 1 if collision_boolean == True: break iterator += 1
If there are similar elements in two different sets: the loops are closed, the names of the Policies corresponding to each Set are stored in an auxiliary variable, and these two sets are intersected, that will return the similar elements.
After the loop, an auxiliary variable called collision_boolean is used to indicate whether a 'collision' has occurred or not. Being 'True', the test returns the Conflict Policies and Resources governed by both simultaneously. Being 'False', the test passes, telling the user that there are no conflicting policies.
Pre-built execution test:
python main.py -collision_verifier None
Note: To run the "Pre-builted execution tests" you need to be on the '../hapi/test' folder