Use authorize instead of enforce for policy

The authorize function actually checks that the policy we're evaluating has been registered. Since we do use policy-as-code, we can safely use this method which is preferred. Change-Id: I429e56c51f08ad3856f8822479747410c417b9a9
2018-11-07 15:32:46 +02:00 · 2018-11-07 15:32:46 +02:00 · 1aaf326e1d
commit 1aaf326e1d
parent 14bfdc49d5
2 changed files with 3 additions and 3 deletions
--- a/barbican/api/controllers/init.py
+++ b/barbican/api/controllers/init.py
@ -61,8 +61,8 @@ def _do_enforce_rbac(inst, req, action_name, ctx, **kwargs):
        policy_dict.update(kwargs)
        # Enforce access controls.
        if ctx.policy_enforcer:
-            ctx.policy_enforcer.enforce(action_name, flatten(policy_dict),
-                                        ctx, do_raise=True)
+            ctx.policy_enforcer.authorize(action_name, flatten(policy_dict),
+                                          ctx, do_raise=True)


 def enforce_rbac(action_name='default'):
--- a/barbican/tests/api/test_transport_keys_resource.py
+++ b/barbican/tests/api/test_transport_keys_resource.py
@ -33,7 +33,7 @@ from barbican.tests import utils

 def get_barbican_env(external_project_id):
    class NoopPolicyEnforcer(object):
-        def enforce(self, *args, **kwargs):
+        def authorize(self, *args, **kwargs):
            return

    kwargs = {'roles': None,