Browse Source

Merge "Make sure we pass context objects directly to policy enforcement"

changes/22/776822/8
Zuul 5 months ago
committed by Gerrit Code Review
parent
commit
0868230f21
  1. 2
      cinder/policy.py
  2. 23
      cinder/tests/unit/test_policy.py

2
cinder/policy.py

@ -79,7 +79,7 @@ def enforce(context, action, target):
try:
return _ENFORCER.enforce(action,
target,
context.to_policy_values(),
context,
do_raise=True,
exc=exception.PolicyNotAuthorized,
action=action)

23
cinder/tests/unit/test_policy.py

@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
import os.path
from unittest import mock
from oslo_config import cfg
from oslo_config import fixture as config_fixture
@ -156,3 +157,25 @@ class PolicyTestCase(test.TestCase):
policy._ENFORCER.register_defaults([rule])
self.assertTrue(policy.enforce(project_context, 'foo', {}))
def test_enforce_passes_context_objects_to_enforcement(self):
fake_context = context.RequestContext(roles=['foo'])
action = 'foo'
target = {}
with mock.patch.object(policy._ENFORCER, 'enforce') as fake_enforce:
policy.enforce(fake_context, action, target)
fake_enforce.assert_called_once_with(
action, target, fake_context, do_raise=True,
exc=exception.PolicyNotAuthorized, action=action)
def test_authorize_passes_context_objects_to_enforcement(self):
fake_context = context.RequestContext(project_id='fake-project-id',
user_id='fake-user-id',
roles=['foo'])
action = 'foo'
target = {'project_id': 'fake-project-id', 'user_id': 'fake-user-id'}
with mock.patch.object(policy._ENFORCER, 'authorize') as fake_authz:
fake_context.authorize('foo')
fake_authz.assert_called_once_with(
action, target, fake_context, do_raise=True,
exc=exception.PolicyNotAuthorized, action=action)
Loading…
Cancel
Save