summaryrefslogtreecommitdiff
path: root/oslo_policy
diff options
context:
space:
mode:
Diffstat (limited to 'oslo_policy')
-rw-r--r--oslo_policy/policy.py23
-rw-r--r--oslo_policy/tests/test_policy.py41
2 files changed, 51 insertions, 13 deletions
diff --git a/oslo_policy/policy.py b/oslo_policy/policy.py
index 48bc40f..445b1df 100644
--- a/oslo_policy/policy.py
+++ b/oslo_policy/policy.py
@@ -1042,7 +1042,10 @@ class Enforcer(object):
# If the thing we're given is a Check, we don't know the
# name of the rule, so pass None for current_rule.
if rule.scope_types:
- self._enforce_scope(creds, rule)
+ scope_valid = self._enforce_scope(creds, rule,
+ do_raise=do_raise)
+ if not scope_valid:
+ return False
result = _checks._check(
rule=rule,
target=target,
@@ -1067,7 +1070,10 @@ class Enforcer(object):
registered_rule = self.registered_rules.get(rule)
if registered_rule and registered_rule.scope_types:
- self._enforce_scope(creds, registered_rule)
+ scope_valid = self._enforce_scope(creds, registered_rule,
+ do_raise=do_raise)
+ if not scope_valid:
+ return False
result = _checks._check(
rule=to_check,
target=target,
@@ -1085,7 +1091,7 @@ class Enforcer(object):
return result
- def _enforce_scope(self, creds, rule):
+ def _enforce_scope(self, creds, rule, do_raise=True):
# Check the scope of the operation against the possible scope
# attributes provided in `creds`.
if creds.get('system'):
@@ -1097,11 +1103,15 @@ class Enforcer(object):
# we're dealing with a project-scoped token.
token_scope = 'project' # nosec
+ result = True
if token_scope not in rule.scope_types:
if self.conf.oslo_policy.enforce_scope:
- raise InvalidScope(
- rule, rule.scope_types, token_scope
- )
+ if do_raise:
+ raise InvalidScope(
+ rule, rule.scope_types, token_scope
+ )
+ else:
+ result = False
# If we don't raise an exception we should at least
# inform operators about policies that are being used
# with improper scopes.
@@ -1117,6 +1127,7 @@ class Enforcer(object):
}
)
warnings.warn(msg)
+ return result
def _map_context_attributes_into_creds(self, context):
creds = {}
diff --git a/oslo_policy/tests/test_policy.py b/oslo_policy/tests/test_policy.py
index 5dcf868..fdcdbca 100644
--- a/oslo_policy/tests/test_policy.py
+++ b/oslo_policy/tests/test_policy.py
@@ -923,15 +923,23 @@ class EnforcerTest(base.PolicyBaseTestCase):
target_dict = {}
self.assertRaises(
policy.InvalidScope, self.enforcer.enforce, 'fake_rule',
- target_dict, ctx
+ target_dict, ctx, do_raise=True
)
+ # and the same should return False if do_raise=False
+ self.assertFalse(
+ self.enforcer.enforce(
+ 'fake_rule', target_dict, ctx, do_raise=False))
# model a project-scoped token, which should fail enforcement
ctx = context.RequestContext(project_id='fake')
self.assertRaises(
policy.InvalidScope, self.enforcer.enforce, 'fake_rule',
- target_dict, ctx
+ target_dict, ctx, True
)
+ # and the same should return False if do_raise=False
+ self.assertFalse(
+ self.enforcer.enforce(
+ 'fake_rule', target_dict, ctx, do_raise=False))
def test_enforcer_understands_domain_scope(self):
self.conf.set_override('enforce_scope', True, group='oslo_policy')
@@ -956,15 +964,23 @@ class EnforcerTest(base.PolicyBaseTestCase):
target_dict = {}
self.assertRaises(
policy.InvalidScope, self.enforcer.enforce, 'fake_rule',
- target_dict, ctx
+ target_dict, ctx, True
)
+ # and the same should return False if do_raise=False
+ self.assertFalse(
+ self.enforcer.enforce(
+ 'fake_rule', target_dict, ctx, do_raise=False))
# model a project-scoped token, which should fail enforcement
ctx = context.RequestContext(project_id='fake')
self.assertRaises(
policy.InvalidScope, self.enforcer.enforce, 'fake_rule',
- target_dict, ctx
+ target_dict, ctx, True
)
+ # and the same should return False if do_raise=False
+ self.assertFalse(
+ self.enforcer.enforce(
+ 'fake_rule', target_dict, ctx, do_raise=False))
def test_enforcer_understands_project_scope(self):
self.conf.set_override('enforce_scope', True, group='oslo_policy')
@@ -989,15 +1005,23 @@ class EnforcerTest(base.PolicyBaseTestCase):
target_dict = {}
self.assertRaises(
policy.InvalidScope, self.enforcer.enforce, 'fake_rule',
- target_dict, ctx
+ target_dict, ctx, True
)
+ # and the same should return False if do_raise=False
+ self.assertFalse(
+ self.enforcer.enforce(
+ 'fake_rule', target_dict, ctx, do_raise=False))
# model a domain-scoped token, which should fail enforcement
ctx = context.RequestContext(domain_id='fake')
self.assertRaises(
policy.InvalidScope, self.enforcer.enforce, 'fake_rule',
- target_dict, ctx
+ target_dict, ctx, True
)
+ # and the same should return False if do_raise=False
+ self.assertFalse(
+ self.enforcer.enforce(
+ 'fake_rule', target_dict, ctx, do_raise=False))
def test_enforce_scope_with_subclassed_checks_when_scope_not_set(self):
self.conf.set_override('enforce_scope', True, group='oslo_policy')
@@ -1013,7 +1037,10 @@ class EnforcerTest(base.PolicyBaseTestCase):
ctx = context.RequestContext(system_scope='all', roles=['admin'])
self.assertRaises(
policy.InvalidScope,
- self.enforcer.enforce, rule, {}, ctx)
+ self.enforcer.enforce, rule, {}, ctx, do_raise=True)
+ # and the same should return False if do_raise=False
+ self.assertFalse(
+ self.enforcer.enforce(rule, {}, ctx, do_raise=False))
class EnforcerNoPolicyFileTest(base.PolicyBaseTestCase):
View Lorry Controller Status