diff options
author | Slawek Kaplonski <skaplons@redhat.com> | 2021-10-05 11:16:04 +0200 |
---|---|---|
committer | Slawek Kaplonski <skaplons@redhat.com> | 2021-11-23 21:30:14 +0000 |
commit | 919c3280aa79762df8475f131a65d12b78ac436e (patch) | |
tree | a9af15e892cdbc3e9a9982ffc6b35783f7fad7c1 /oslo_policy | |
parent | 1e89f032b7b47cc2a3567da40fc6d5ace10ee768 (diff) | |
download | oslo-policy-919c3280aa79762df8475f131a65d12b78ac436e.tar.gz |
Enforce scope check always when rule has scope_types set3.10.1
Previously it was checked only for registered rules but not for
rules which are subclasses of the BaseCheck class.
Now it's checked for all rules which have scope_types set.
It's required for e.g. Neutron as it is creating Check objects based
on the defined policy rules to e.g. include in the check attributes
like network's provider parameters, etc.
Depends-On: https://review.opendev.org/c/openstack/neutron/+/815838
Depends-On: https://review.opendev.org/c/openstack/neutron/+/818725
Closes-Bug: #1923503
Change-Id: I55258c1f999c84220518d1fbbf5e1e514361cebe
Diffstat (limited to 'oslo_policy')
-rw-r--r-- | oslo_policy/policy.py | 2 | ||||
-rw-r--r-- | oslo_policy/tests/test_policy.py | 16 |
2 files changed, 18 insertions, 0 deletions
diff --git a/oslo_policy/policy.py b/oslo_policy/policy.py index 875727f..48bc40f 100644 --- a/oslo_policy/policy.py +++ b/oslo_policy/policy.py @@ -1041,6 +1041,8 @@ class Enforcer(object): if isinstance(rule, _checks.BaseCheck): # If the thing we're given is a Check, we don't know the # name of the rule, so pass None for current_rule. + if rule.scope_types: + self._enforce_scope(creds, rule) result = _checks._check( rule=rule, target=target, diff --git a/oslo_policy/tests/test_policy.py b/oslo_policy/tests/test_policy.py index f24a02e..5dcf868 100644 --- a/oslo_policy/tests/test_policy.py +++ b/oslo_policy/tests/test_policy.py @@ -999,6 +999,22 @@ class EnforcerTest(base.PolicyBaseTestCase): target_dict, ctx ) + def test_enforce_scope_with_subclassed_checks_when_scope_not_set(self): + self.conf.set_override('enforce_scope', True, group='oslo_policy') + rule = _checks.TrueCheck() + rule.scope_types = None + ctx = context.RequestContext(system_scope='all', roles=['admin']) + self.enforcer.enforce(rule, {}, ctx) + + def test_enforcer_raises_invalid_scope_with_subclassed_checks(self): + self.conf.set_override('enforce_scope', True, group='oslo_policy') + rule = _checks.TrueCheck() + rule.scope_types = ['domain'] + ctx = context.RequestContext(system_scope='all', roles=['admin']) + self.assertRaises( + policy.InvalidScope, + self.enforcer.enforce, rule, {}, ctx) + class EnforcerNoPolicyFileTest(base.PolicyBaseTestCase): def setUp(self): |