MIT CSAIL

Policy Assurance in Database Systems: Test Cases

Overview

This page is part of the policy assurance project.These tests verify the correct functionality of the automatically generated policies. The Tabulator Firefox extension is mandatory to see these work. To verify, paste the relevant query and policy URIs into the policy execution page, or click the "Online Demo" image.

Restriction Policy

policy: ex:a USE, ex:b RETRIEVE, ex:c USE and RETRIEVE. Displays in Tabulator correctly.
query: will USE and RETRIEVE a, RETRIEVE b, and RETRIEVE c. Should be non-compliant. Displays in Tabulator correctly. Reasoner evaluates result correctly as non-compliant but Tabulator does not render correctly due to what appears to be a Tabulator bug in the handling of the FILTER part.Online Demo
query: will RETRIEVE a, USE b, and not mention c. Should be compliant. Displays in Tabulator correctly. Evaluates as compliant and works correctly in Tabulator.Online Demo

Inclusion Policy

policy: ex:a USE, ex:b RETRIEVE, ex:c USE and RETRIEVE. Displays in Tabulator correctly.
query: will USE a and RETRIEVE a, only. Should be non-compliant. Displays in Tabulator correctly. Reasoner evaluates result correctly as non-compliant but Tabulator does not render correctly due to what appears to be a Tabulator bug in the handling of the FILTER part.Online Demo
query: will USE a, RETRIEVE b, and USE and RETRIEVE c. Should be compliant. Displays in Tabulator correctly. Infinite loop. This may be due to a bug in the reasoner, the difficulty of the policy, or a lack of computing power.Online Demo

(Simpler) Inclusion Policy

policy: ex:a USE and RETRIEVE, ex:b RETRIEVE. Displays in Tabulator correctly.
query: will USE and RETRIEVE a and RETRIEVE b. Should be compliant. Displays in Tabulator correctly. Reasoner evaluates result correctly as compliant but Tabulator does not render correctly due to what appears to be a Tabulator bug in the handling of the FILTER part.Online Demo
query: will USE and RETRIEVE a, online. Should be non-compliant. Displays in Tabulator correctly. Evaluates as non-compliant and works correctly in Tabulator.Online Demo

Exclusion Policy

policy: must not USE a and RETRIEVE a and RETRIEVE b together. Displays in Tabulator correctly.
query: will USE a and RETRIEVE a and RETRIEVE b. Should be non-compliant. Displays in Tabulator correctly. Reasoner evaluates result correctly as non-compliant but Tabulator does not render correctly due to what appears to be a Tabulator bug in the handling of the FILTER part.Online Demo
query: will RETRIEVE a and RETRIEVE b. Should be compliant. Displays in Tabulator correctly. Evaluates as compliant and works correctly in Tabulator.Online Demo

History-Aware Exclusion Policy

This demo does not evaluate in Tabulator. You need to have check-policy.py and a local installation of policyrunner, version 25787, symlinked to "policyrunner" in a shell. Including this for completeness.

policy: must not USE a and RETRIEVE a and RETRIEVE b together. Displays in Tabulator correctly.
query: will RETRIEVE a and RETRIEVE b. Should be compliant. Displays in Tabulator correctly. Evaluates as compliant and works correctly in Tabulator.
query: will USE a. Should cause non-compliance. Displays in Tabulator correctly.
This certainly works per these directions. Note that policyrunner needs to point to policyrunner.py; make sure to configure the shell correctly.

Default Deny Policy

policy: allows a, b, c. Displays in Tabulator correctly.
good query shown below - Should be compliant. Displays in Tabulator correctly. Evaluates as compliant and works correctly in Tabulator.Online Demo 
PREFIX ex: <http://example.com/#>
PREFIX foaf: <http://xmlns.com/foaf/0.1/>
SELECT * WHERE {
     ?s ex:a ?n.
     ?s ex:b ?a.
     ?s ex:c ?id.
}

bad query shown below- Should be non-compliant. Displays in Tabulator correctly. Evaluates as non-compliant and works correctly in Tabulator.Online Demo 
PREFIX ex: <http://example.com/#>
PREFIX foaf: <http://xmlns.com/foaf/0.1/>
SELECT * WHERE {
     ?s ex:d ?n.
     ?s ex:e ?a.
     ?s ex:f ?id.
}

Chaining Policy With Filter

policy: if you RETRIEVE a you must also FILTER a > 18. Default is non-compliant so need to do something to assert compliance. Displays in Tabulator correctly.
query: will RETRIEVE a and RETRIEVE b. Should be non-compliant. Displays in Tabulator correctly. Evaluates as non-compliant and works correctly in Tabulator.Online Demo
query: will RETRIEVE a and b and c and FILTER a > 18. Should be compliant. Displays in Tabulator correctly. Evaluates as compliant and works correctly in Tabulator.Online Demo

Chaining Policy

policy: if RETRIEVE a must also RETRIEVE b or fails. default noncompliance and default compliance. The Online Demo links both use the default noncompliance policy.
good query shown below- will RETRIEVE a and RETRIEVE b. Is compliant with default non-compliance. Is non-compliant with default compliance. Policy and reasoning display correctly in Tabulator.Online Demo 
PREFIX ex: <http://example.com/#>
PREFIX foaf: <http://xmlns.com/foaf/0.1/>
SELECT * WHERE {
     ?s ex:a ?n.
     ?s ex:b ?a.
}
bad query shown below- will RETRIEVE a, only. Is non-compliant with default non-compliance. Is compliant with default compliance. Policy and reasoning display correctly in Tabulator.Online Demo 
PREFIX ex: <http://example.com/#>
PREFIX foaf: <http://xmlns.com/foaf/0.1/>
SELECT * WHERE {
     ?s ex:a ?n.
}

Valid XHTML 1.0!
maintained by Jose Hiram Soltren