From bbd6a67c46c935d83214b4c64424fda2fab375c9 Mon Sep 17 00:00:00 2001
From: Juan Font <juanfontalonso@gmail.com>
Date: Sat, 3 Jul 2021 17:31:08 +0200
Subject: [PATCH] Added more acl test hujsons

---
 tests/acls/acl_policy_1.hujson       |  16 ++--
 tests/acls/acl_policy_invalid.hujson | 125 +++++++++++++++++++++++++++
 2 files changed, 135 insertions(+), 6 deletions(-)
 create mode 100644 tests/acls/acl_policy_invalid.hujson

diff --git a/tests/acls/acl_policy_1.hujson b/tests/acls/acl_policy_1.hujson
index 3e12bf48..c9881d82 100644
--- a/tests/acls/acl_policy_1.hujson
+++ b/tests/acls/acl_policy_1.hujson
@@ -5,6 +5,10 @@
             "user1@example.com",
             "user2@example.com",
         ],
+        "group:example2": [
+            "user1@example.com",
+            "user2@example.com",
+        ],
     },
     // Declare hostname aliases to use in place of IP addresses or subnets.
     "Hosts": {
@@ -33,8 +37,8 @@
         {
             "Action": "accept",
             "Users": [
-                "group:engineering",
-                "president@example.com"
+                "group:example2",
+                "192.168.1.1"
             ],
             "Ports": [
                 "*:22,3389",
@@ -47,7 +51,7 @@
         {
             "Action": "accept",
             "Users": [
-                "group:engineers"
+                "group:example"
             ],
             "Ports": [
                 "tag:production:*"
@@ -58,11 +62,11 @@
         {
             "Action": "accept",
             "Users": [
-                "my-subnet",
+                "example-host-2",
                 "192.168.1.0/24"
             ],
             "Ports": [
-                "my-subnet:*",
+                "example-host-1:*",
                 "192.168.1.0/24:*"
             ],
         },
@@ -83,7 +87,7 @@
         {
             "Action": "accept",
             "Users": [
-                "group:montreal-users"
+                "example-host-1"
             ],
             "Ports": [
                 "tag:montreal-webserver:80,443"
diff --git a/tests/acls/acl_policy_invalid.hujson b/tests/acls/acl_policy_invalid.hujson
new file mode 100644
index 00000000..ad640dfe
--- /dev/null
+++ b/tests/acls/acl_policy_invalid.hujson
@@ -0,0 +1,125 @@
+{
+    // Declare static groups of users beyond those in the identity service.
+    "Groups": {
+        "group:example": [
+            "user1@example.com",
+            "user2@example.com",
+        ],
+    },
+    // Declare hostname aliases to use in place of IP addresses or subnets.
+    "Hosts": {
+        "example-host-1": "100.100.100.100",
+        "example-host-2": "100.100.101.100/24",
+    },
+    // Define who is allowed to use which tags.
+    "TagOwners": {
+        // Everyone in the montreal-admins or global-admins group are
+        // allowed to tag servers as montreal-webserver.
+        "tag:montreal-webserver": [
+            "group:montreal-admins",
+            "group:global-admins",
+        ],
+        // Only a few admins are allowed to create API servers.
+        "tag:api-server": [
+            "group:global-admins",
+            "example-host-1",
+        ],
+    },
+    // Access control lists.
+    "ACLs": [
+        // Engineering users, plus the president, can access port 22 (ssh)
+        // and port 3389 (remote desktop protocol) on all servers, and all
+        // ports on git-server or ci-server.
+        {
+            "Action": "accept",
+            "Users": [
+                "group:engineering",
+                "president@example.com"
+            ],
+            "Ports": [
+                "*:22,3389",
+                "git-server:*",
+                "ci-server:*"
+            ],
+        },
+        // Allow engineer users to access any port on a device tagged with
+        // tag:production.
+        {
+            "Action": "accept",
+            "Users": [
+                "group:engineers"
+            ],
+            "Ports": [
+                "tag:production:*"
+            ],
+        },
+        // Allow servers in the my-subnet host and 192.168.1.0/24 to access hosts
+        // on both networks.
+        {
+            "Action": "accept",
+            "Users": [
+                "my-subnet",
+                "192.168.1.0/24"
+            ],
+            "Ports": [
+                "my-subnet:*",
+                "192.168.1.0/24:*"
+            ],
+        },
+        // Allow every user of your network to access anything on the network.
+        // Comment out this section if you want to define specific ACL
+        // restrictions above.
+        {
+            "Action": "accept",
+            "Users": [
+                "*"
+            ],
+            "Ports": [
+                "*:*"
+            ],
+        },
+        // All users in Montreal are allowed to access the Montreal web
+        // servers.
+        {
+            "Action": "accept",
+            "Users": [
+                "group:montreal-users"
+            ],
+            "Ports": [
+                "tag:montreal-webserver:80,443"
+            ],
+        },
+        // Montreal web servers are allowed to make outgoing connections to
+        // the API servers, but only on https port 443.
+        // In contrast, this doesn't grant API servers the right to initiate
+        // any connections.
+        {
+            "Action": "accept",
+            "Users": [
+                "tag:montreal-webserver"
+            ],
+            "Ports": [
+                "tag:api-server:443"
+            ],
+        },
+    ],
+    // Declare tests to check functionality of ACL rules
+    "Tests": [
+        {
+            "User": "user1@example.com",
+            "Allow": [
+                "example-host-1:22",
+                "example-host-2:80"
+            ],
+            "Deny": [
+                "exapmle-host-2:100"
+            ],
+        },
+        {
+            "User": "user2@example.com",
+            "Allow": [
+                "100.60.3.4:22"
+            ],
+        },
+    ],
+}
\ No newline at end of file