diff options
Diffstat (limited to 'oslo_policy')
-rw-r--r-- | oslo_policy/policy.py | 23 | ||||
-rw-r--r-- | oslo_policy/tests/test_policy.py | 41 |
2 files changed, 51 insertions, 13 deletions
diff --git a/oslo_policy/policy.py b/oslo_policy/policy.py index 48bc40f..445b1df 100644 --- a/oslo_policy/policy.py +++ b/oslo_policy/policy.py @@ -1042,7 +1042,10 @@ class Enforcer(object): # If the thing we're given is a Check, we don't know the # name of the rule, so pass None for current_rule. if rule.scope_types: - self._enforce_scope(creds, rule) + scope_valid = self._enforce_scope(creds, rule, + do_raise=do_raise) + if not scope_valid: + return False result = _checks._check( rule=rule, target=target, @@ -1067,7 +1070,10 @@ class Enforcer(object): registered_rule = self.registered_rules.get(rule) if registered_rule and registered_rule.scope_types: - self._enforce_scope(creds, registered_rule) + scope_valid = self._enforce_scope(creds, registered_rule, + do_raise=do_raise) + if not scope_valid: + return False result = _checks._check( rule=to_check, target=target, @@ -1085,7 +1091,7 @@ class Enforcer(object): return result - def _enforce_scope(self, creds, rule): + def _enforce_scope(self, creds, rule, do_raise=True): # Check the scope of the operation against the possible scope # attributes provided in `creds`. if creds.get('system'): @@ -1097,11 +1103,15 @@ class Enforcer(object): # we're dealing with a project-scoped token. token_scope = 'project' # nosec + result = True if token_scope not in rule.scope_types: if self.conf.oslo_policy.enforce_scope: - raise InvalidScope( - rule, rule.scope_types, token_scope - ) + if do_raise: + raise InvalidScope( + rule, rule.scope_types, token_scope + ) + else: + result = False # If we don't raise an exception we should at least # inform operators about policies that are being used # with improper scopes. @@ -1117,6 +1127,7 @@ class Enforcer(object): } ) warnings.warn(msg) + return result def _map_context_attributes_into_creds(self, context): creds = {} diff --git a/oslo_policy/tests/test_policy.py b/oslo_policy/tests/test_policy.py index 5dcf868..fdcdbca 100644 --- a/oslo_policy/tests/test_policy.py +++ b/oslo_policy/tests/test_policy.py @@ -923,15 +923,23 @@ class EnforcerTest(base.PolicyBaseTestCase): target_dict = {} self.assertRaises( policy.InvalidScope, self.enforcer.enforce, 'fake_rule', - target_dict, ctx + target_dict, ctx, do_raise=True ) + # and the same should return False if do_raise=False + self.assertFalse( + self.enforcer.enforce( + 'fake_rule', target_dict, ctx, do_raise=False)) # model a project-scoped token, which should fail enforcement ctx = context.RequestContext(project_id='fake') self.assertRaises( policy.InvalidScope, self.enforcer.enforce, 'fake_rule', - target_dict, ctx + target_dict, ctx, True ) + # and the same should return False if do_raise=False + self.assertFalse( + self.enforcer.enforce( + 'fake_rule', target_dict, ctx, do_raise=False)) def test_enforcer_understands_domain_scope(self): self.conf.set_override('enforce_scope', True, group='oslo_policy') @@ -956,15 +964,23 @@ class EnforcerTest(base.PolicyBaseTestCase): target_dict = {} self.assertRaises( policy.InvalidScope, self.enforcer.enforce, 'fake_rule', - target_dict, ctx + target_dict, ctx, True ) + # and the same should return False if do_raise=False + self.assertFalse( + self.enforcer.enforce( + 'fake_rule', target_dict, ctx, do_raise=False)) # model a project-scoped token, which should fail enforcement ctx = context.RequestContext(project_id='fake') self.assertRaises( policy.InvalidScope, self.enforcer.enforce, 'fake_rule', - target_dict, ctx + target_dict, ctx, True ) + # and the same should return False if do_raise=False + self.assertFalse( + self.enforcer.enforce( + 'fake_rule', target_dict, ctx, do_raise=False)) def test_enforcer_understands_project_scope(self): self.conf.set_override('enforce_scope', True, group='oslo_policy') @@ -989,15 +1005,23 @@ class EnforcerTest(base.PolicyBaseTestCase): target_dict = {} self.assertRaises( policy.InvalidScope, self.enforcer.enforce, 'fake_rule', - target_dict, ctx + target_dict, ctx, True ) + # and the same should return False if do_raise=False + self.assertFalse( + self.enforcer.enforce( + 'fake_rule', target_dict, ctx, do_raise=False)) # model a domain-scoped token, which should fail enforcement ctx = context.RequestContext(domain_id='fake') self.assertRaises( policy.InvalidScope, self.enforcer.enforce, 'fake_rule', - target_dict, ctx + target_dict, ctx, True ) + # and the same should return False if do_raise=False + self.assertFalse( + self.enforcer.enforce( + 'fake_rule', target_dict, ctx, do_raise=False)) def test_enforce_scope_with_subclassed_checks_when_scope_not_set(self): self.conf.set_override('enforce_scope', True, group='oslo_policy') @@ -1013,7 +1037,10 @@ class EnforcerTest(base.PolicyBaseTestCase): ctx = context.RequestContext(system_scope='all', roles=['admin']) self.assertRaises( policy.InvalidScope, - self.enforcer.enforce, rule, {}, ctx) + self.enforcer.enforce, rule, {}, ctx, do_raise=True) + # and the same should return False if do_raise=False + self.assertFalse( + self.enforcer.enforce(rule, {}, ctx, do_raise=False)) class EnforcerNoPolicyFileTest(base.PolicyBaseTestCase): |