Don't raise InvalidScope exception when do_raise=False

In the Enforcer.enforce() method there is boolean parameter do_raise. When it is set to False, enforce() method should return True/False as an enforcement result and not raise exception. It works like that with PolicyNotAuthorized exception but since some time this method can also raise InvalidScope exception and in such case behaviour was different. This patch changes that behaviour so InvalidScope exception will also not be raised when do_raise=False. Closes-bug: #1965315 Change-Id: I37fd682ffa9d6f4c69698e1be42adac28bbfe72a
author: Slawek Kaplonski <skaplons@redhat.com> 2022-03-17 20:35:45 +0100
committer: Slawek Kaplonski <skaplons@redhat.com> 2022-03-17 20:38:32 +0100
commit: 9bc1783400f9960b7132bf631c690a98fbfc8066 (patch)
tree: e46da5cdf8959d0e7cdc86e322ae9d96142a8fb7
parent: 9eef147fc334b254974b634b4411cbb8875a8c5a (diff)
download: oslo-policy-9bc1783400f9960b7132bf631c690a98fbfc8066.tar.gz
2 files changed, 51 insertions, 13 deletions
diff --git a/oslo_policy/policy.py b/oslo_policy/policy.py
index 48bc40f..445b1df 100644
--- a/oslo_policy/policy.py
+++ b/oslo_policy/policy.py
@@ -1042,7 +1042,10 @@ class Enforcer(object):
             # If the thing we're given is a Check, we don't know the
             # name of the rule, so pass None for current_rule.
             if rule.scope_types:
-                self._enforce_scope(creds, rule)
+                scope_valid = self._enforce_scope(creds, rule,
+                                                  do_raise=do_raise)
+                if not scope_valid:
+                    return False
             result = _checks._check(
                 rule=rule,
                 target=target,
@@ -1067,7 +1070,10 @@ class Enforcer(object):
 
                 registered_rule = self.registered_rules.get(rule)
                 if registered_rule and registered_rule.scope_types:
-                    self._enforce_scope(creds, registered_rule)
+                    scope_valid = self._enforce_scope(creds, registered_rule,
+                                                      do_raise=do_raise)
+                    if not scope_valid:
+                        return False
                 result = _checks._check(
                     rule=to_check,
                     target=target,
@@ -1085,7 +1091,7 @@ class Enforcer(object):
 
         return result
 
-    def _enforce_scope(self, creds, rule):
+    def _enforce_scope(self, creds, rule, do_raise=True):
         # Check the scope of the operation against the possible scope
         # attributes provided in `creds`.
         if creds.get('system'):
@@ -1097,11 +1103,15 @@ class Enforcer(object):
             # we're dealing with a project-scoped token.
             token_scope = 'project'  # nosec
 
+        result = True
         if token_scope not in rule.scope_types:
             if self.conf.oslo_policy.enforce_scope:
-                raise InvalidScope(
-                    rule, rule.scope_types, token_scope
-                )
+                if do_raise:
+                    raise InvalidScope(
+                        rule, rule.scope_types, token_scope
+                    )
+                else:
+                    result = False
             # If we don't raise an exception we should at least
             # inform operators about policies that are being used
             # with improper scopes.
@@ -1117,6 +1127,7 @@ class Enforcer(object):
                 }
             )
             warnings.warn(msg)
+        return result
 
     def _map_context_attributes_into_creds(self, context):
         creds = {}
diff --git a/oslo_policy/tests/test_policy.py b/oslo_policy/tests/test_policy.py
index 5dcf868..fdcdbca 100644
--- a/oslo_policy/tests/test_policy.py
+++ b/oslo_policy/tests/test_policy.py
@@ -923,15 +923,23 @@ class EnforcerTest(base.PolicyBaseTestCase):
         target_dict = {}
         self.assertRaises(
             policy.InvalidScope, self.enforcer.enforce, 'fake_rule',
-            target_dict, ctx
+            target_dict, ctx, do_raise=True
         )
+        # and the same should return False if do_raise=False
+        self.assertFalse(
+            self.enforcer.enforce(
+                'fake_rule', target_dict, ctx, do_raise=False))
 
         # model a project-scoped token, which should fail enforcement
         ctx = context.RequestContext(project_id='fake')
         self.assertRaises(
             policy.InvalidScope, self.enforcer.enforce, 'fake_rule',
-            target_dict, ctx
+            target_dict, ctx, True
         )
+        # and the same should return False if do_raise=False
+        self.assertFalse(
+            self.enforcer.enforce(
+                'fake_rule', target_dict, ctx, do_raise=False))
 
     def test_enforcer_understands_domain_scope(self):
         self.conf.set_override('enforce_scope', True, group='oslo_policy')
@@ -956,15 +964,23 @@ class EnforcerTest(base.PolicyBaseTestCase):
         target_dict = {}
         self.assertRaises(
             policy.InvalidScope, self.enforcer.enforce, 'fake_rule',
-            target_dict, ctx
+            target_dict, ctx, True
         )
+        # and the same should return False if do_raise=False
+        self.assertFalse(
+            self.enforcer.enforce(
+                'fake_rule', target_dict, ctx, do_raise=False))
 
         # model a project-scoped token, which should fail enforcement
         ctx = context.RequestContext(project_id='fake')
         self.assertRaises(
             policy.InvalidScope, self.enforcer.enforce, 'fake_rule',
-            target_dict, ctx
+            target_dict, ctx, True
         )
+        # and the same should return False if do_raise=False
+        self.assertFalse(
+            self.enforcer.enforce(
+                'fake_rule', target_dict, ctx, do_raise=False))
 
     def test_enforcer_understands_project_scope(self):
         self.conf.set_override('enforce_scope', True, group='oslo_policy')
@@ -989,15 +1005,23 @@ class EnforcerTest(base.PolicyBaseTestCase):
         target_dict = {}
         self.assertRaises(
             policy.InvalidScope, self.enforcer.enforce, 'fake_rule',
-            target_dict, ctx
+            target_dict, ctx, True
         )
+        # and the same should return False if do_raise=False
+        self.assertFalse(
+            self.enforcer.enforce(
+                'fake_rule', target_dict, ctx, do_raise=False))
 
         # model a domain-scoped token, which should fail enforcement
         ctx = context.RequestContext(domain_id='fake')
         self.assertRaises(
             policy.InvalidScope, self.enforcer.enforce, 'fake_rule',
-            target_dict, ctx
+            target_dict, ctx, True
         )
+        # and the same should return False if do_raise=False
+        self.assertFalse(
+            self.enforcer.enforce(
+                'fake_rule', target_dict, ctx, do_raise=False))
 
     def test_enforce_scope_with_subclassed_checks_when_scope_not_set(self):
         self.conf.set_override('enforce_scope', True, group='oslo_policy')
@@ -1013,7 +1037,10 @@ class EnforcerTest(base.PolicyBaseTestCase):
         ctx = context.RequestContext(system_scope='all', roles=['admin'])
         self.assertRaises(
             policy.InvalidScope,
-            self.enforcer.enforce, rule, {}, ctx)
+            self.enforcer.enforce, rule, {}, ctx, do_raise=True)
+        # and the same should return False if do_raise=False
+        self.assertFalse(
+            self.enforcer.enforce(rule, {}, ctx, do_raise=False))
 
 
 class EnforcerNoPolicyFileTest(base.PolicyBaseTestCase):
author	Slawek Kaplonski <skaplons@redhat.com>	2022-03-17 20:35:45 +0100
committer	Slawek Kaplonski <skaplons@redhat.com>	2022-03-17 20:38:32 +0100
commit	9bc1783400f9960b7132bf631c690a98fbfc8066 (patch)
tree	e46da5cdf8959d0e7cdc86e322ae9d96142a8fb7
parent	9eef147fc334b254974b634b4411cbb8875a8c5a (diff)
download	oslo-policy-9bc1783400f9960b7132bf631c690a98fbfc8066.tar.gz