From 919c3280aa79762df8475f131a65d12b78ac436e Mon Sep 17 00:00:00 2001 From: Slawek Kaplonski Date: Tue, 5 Oct 2021 11:16:04 +0200 Subject: Enforce scope check always when rule has scope_types set Previously it was checked only for registered rules but not for rules which are subclasses of the BaseCheck class. Now it's checked for all rules which have scope_types set. It's required for e.g. Neutron as it is creating Check objects based on the defined policy rules to e.g. include in the check attributes like network's provider parameters, etc. Depends-On: https://review.opendev.org/c/openstack/neutron/+/815838 Depends-On: https://review.opendev.org/c/openstack/neutron/+/818725 Closes-Bug: #1923503 Change-Id: I55258c1f999c84220518d1fbbf5e1e514361cebe --- oslo_policy/policy.py | 2 ++ oslo_policy/tests/test_policy.py | 16 ++++++++++++++++ 2 files changed, 18 insertions(+) (limited to 'oslo_policy') diff --git a/oslo_policy/policy.py b/oslo_policy/policy.py index 875727f..48bc40f 100644 --- a/oslo_policy/policy.py +++ b/oslo_policy/policy.py @@ -1041,6 +1041,8 @@ class Enforcer(object): if isinstance(rule, _checks.BaseCheck): # If the thing we're given is a Check, we don't know the # name of the rule, so pass None for current_rule. + if rule.scope_types: + self._enforce_scope(creds, rule) result = _checks._check( rule=rule, target=target, diff --git a/oslo_policy/tests/test_policy.py b/oslo_policy/tests/test_policy.py index f24a02e..5dcf868 100644 --- a/oslo_policy/tests/test_policy.py +++ b/oslo_policy/tests/test_policy.py @@ -999,6 +999,22 @@ class EnforcerTest(base.PolicyBaseTestCase): target_dict, ctx ) + def test_enforce_scope_with_subclassed_checks_when_scope_not_set(self): + self.conf.set_override('enforce_scope', True, group='oslo_policy') + rule = _checks.TrueCheck() + rule.scope_types = None + ctx = context.RequestContext(system_scope='all', roles=['admin']) + self.enforcer.enforce(rule, {}, ctx) + + def test_enforcer_raises_invalid_scope_with_subclassed_checks(self): + self.conf.set_override('enforce_scope', True, group='oslo_policy') + rule = _checks.TrueCheck() + rule.scope_types = ['domain'] + ctx = context.RequestContext(system_scope='all', roles=['admin']) + self.assertRaises( + policy.InvalidScope, + self.enforcer.enforce, rule, {}, ctx) + class EnforcerNoPolicyFileTest(base.PolicyBaseTestCase): def setUp(self): -- cgit v1.2.1