Lib.rs

Development toolsTesting
#security-policy #security-testing #policy-kit #http-service #check #toolkit #policies

service_policy_kit

A toolkit to verify services against security policies

by Dotan J. Nahum, Elad Kaplan

9 releases (breaking)

0.7.1 May 19, 2024
0.7.0 Mar 20, 2022
0.6.0 Oct 15, 2021
0.5.0 Oct 14, 2021
0.1.1 Sep 30, 2021

#175 in Testing

28 downloads per month
Used in keyscope

Apache-2.0

85KB
2K SLoC





Service Policy Kit

service_policy_kit is a Rust based toolkit for verifying HTTP services against policies. You can:

  • Build a complete testing framework on your own, with service_policy_kit taking care of all the expectation logic
  • Run fuzzing tests against your services
  • Integrate in your code to perform custom readiness/self checks
  • Build your own tools (CLIs) that perform service validation and security testing of different kinds

Quick Start

Add to Cargo.toml

service_policy_kit = "0.2.0"

Example

Here's a full-blown policy runner that you can reuse:

use serde_yaml;
use service_policy_kit::data::{Context, SequenceInteractions};
use service_policy_kit::runner::{RunOptions, SequenceRunner};
use std::process::exit;

fn main() {
    let opts = RunOptions::default();
    let runner = SequenceRunner::from_opts(&opts);

    let sequence: SequenceInteractions = serde_yaml::from_str(
        r#"
http_interactions:
- request:
    id: step one
    uri: http://example.com
  response:
    status_code: "200"
"#,
    )
    .unwrap();
    let mut context = Context::new();
    let res = runner.run(&mut context, &sequence.http_interactions);
    exit(if res.ok { 0 } else { 1 })
}

You can run it by cloning this repo, and then:

cargo run --example quick-start

You should get:

$ cargo run --examples quick-start

✔ step one: ok 288ms

Ran 1 interactions with 1 checks in 288ms

Success: 1
Failure: 0
  Error: 0
Skipped: 0

Capabilities

  • ✅  Flexible design: Use the runner for any purpose, sequence or individual interactions
  • ✅  Contextual flows: interactions can extract, define and pass variables to the next ones
  • ✅  Out of the box reporters: saves you some boilerplate work Multiple checks included: content, benchmark, certificates
  • ✅  Discovery (WIP): given recorded API interactions, or an API spec, automatically generate interactions.

Concepts

There are a few concepts that make up service_policy_kit: Interaction, Expectation, Check, Violation and Runners.

Interaction

An interaction is a definition of calling an external service, and the expected responses per check type.

Interaction {
   request,
   response,
   examples,
   benchmark,
   cert,
}

Expectation (Policy)

An expectation is a set of expected matchers for all of the parts that are extracted from an interaction response.

Each of the fields take regular expressions and are matched against a live response accordingly.

Response {
   headers,
   status_code,
   body,
   vars,
}

Check

A check is an abstract action over a response. For example, running content expectation, a benchmark, or any other policy against a service.

Violation

Any check can output violation. A successful check has no violations.

Runners

A runner takes a set of interactions and execute these. For example, the included SequenceRunner will always execute interactions in a sequence, extracting variables from one interaction and passing it to the next one via Context.

Thanks

To all Contributors - you make this happen, thanks!

Copyright

Copyright (c) 2021 @jondot. See LICENSE for further details.

Dependencies

~22–38MB
~607K SLoC