Merge "Make sure we pass context objects directly to policy enforcement"

This commit is contained in:
Zuul 2021-03-07 00:07:42 +00:00 committed by Gerrit Code Review
commit 0868230f21
2 changed files with 24 additions and 1 deletions

View File

@ -79,7 +79,7 @@ def enforce(context, action, target):
try: try:
return _ENFORCER.enforce(action, return _ENFORCER.enforce(action,
target, target,
context.to_policy_values(), context,
do_raise=True, do_raise=True,
exc=exception.PolicyNotAuthorized, exc=exception.PolicyNotAuthorized,
action=action) action=action)

View File

@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
import os.path import os.path
from unittest import mock
from oslo_config import cfg from oslo_config import cfg
from oslo_config import fixture as config_fixture from oslo_config import fixture as config_fixture
@ -156,3 +157,25 @@ class PolicyTestCase(test.TestCase):
policy._ENFORCER.register_defaults([rule]) policy._ENFORCER.register_defaults([rule])
self.assertTrue(policy.enforce(project_context, 'foo', {})) self.assertTrue(policy.enforce(project_context, 'foo', {}))
def test_enforce_passes_context_objects_to_enforcement(self):
fake_context = context.RequestContext(roles=['foo'])
action = 'foo'
target = {}
with mock.patch.object(policy._ENFORCER, 'enforce') as fake_enforce:
policy.enforce(fake_context, action, target)
fake_enforce.assert_called_once_with(
action, target, fake_context, do_raise=True,
exc=exception.PolicyNotAuthorized, action=action)
def test_authorize_passes_context_objects_to_enforcement(self):
fake_context = context.RequestContext(project_id='fake-project-id',
user_id='fake-user-id',
roles=['foo'])
action = 'foo'
target = {'project_id': 'fake-project-id', 'user_id': 'fake-user-id'}
with mock.patch.object(policy._ENFORCER, 'authorize') as fake_authz:
fake_context.authorize('foo')
fake_authz.assert_called_once_with(
action, target, fake_context, do_raise=True,
exc=exception.PolicyNotAuthorized, action=action)