From 919c3280aa79762df8475f131a65d12b78ac436e Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Tue, 5 Oct 2021 11:16:04 +0200
Subject: Enforce scope check always when rule has scope_types set

Previously it was checked only for registered rules but not for
rules which are subclasses of the BaseCheck class.
Now it's checked for all rules which have scope_types set.

It's required for e.g. Neutron as it is creating Check objects based
on the defined policy rules to e.g. include in the check attributes
like network's provider parameters, etc.

Depends-On: https://review.opendev.org/c/openstack/neutron/+/815838
Depends-On: https://review.opendev.org/c/openstack/neutron/+/818725

Closes-Bug: #1923503
Change-Id: I55258c1f999c84220518d1fbbf5e1e514361cebe
---
 oslo_policy/policy.py            |  2 ++
 oslo_policy/tests/test_policy.py | 16 ++++++++++++++++
 2 files changed, 18 insertions(+)

(limited to 'oslo_policy')

diff --git a/oslo_policy/policy.py b/oslo_policy/policy.py
index 875727f..48bc40f 100644
--- a/oslo_policy/policy.py
+++ b/oslo_policy/policy.py
@@ -1041,6 +1041,8 @@ class Enforcer(object):
         if isinstance(rule, _checks.BaseCheck):
             # If the thing we're given is a Check, we don't know the
             # name of the rule, so pass None for current_rule.
+            if rule.scope_types:
+                self._enforce_scope(creds, rule)
             result = _checks._check(
                 rule=rule,
                 target=target,
diff --git a/oslo_policy/tests/test_policy.py b/oslo_policy/tests/test_policy.py
index f24a02e..5dcf868 100644
--- a/oslo_policy/tests/test_policy.py
+++ b/oslo_policy/tests/test_policy.py
@@ -999,6 +999,22 @@ class EnforcerTest(base.PolicyBaseTestCase):
             target_dict, ctx
         )
 
+    def test_enforce_scope_with_subclassed_checks_when_scope_not_set(self):
+        self.conf.set_override('enforce_scope', True, group='oslo_policy')
+        rule = _checks.TrueCheck()
+        rule.scope_types = None
+        ctx = context.RequestContext(system_scope='all', roles=['admin'])
+        self.enforcer.enforce(rule, {}, ctx)
+
+    def test_enforcer_raises_invalid_scope_with_subclassed_checks(self):
+        self.conf.set_override('enforce_scope', True, group='oslo_policy')
+        rule = _checks.TrueCheck()
+        rule.scope_types = ['domain']
+        ctx = context.RequestContext(system_scope='all', roles=['admin'])
+        self.assertRaises(
+            policy.InvalidScope,
+            self.enforcer.enforce, rule, {}, ctx)
+
 
 class EnforcerNoPolicyFileTest(base.PolicyBaseTestCase):
     def setUp(self):
-- 
cgit v1.2.1