Make sure we pass context objects directly to policy enforcement
The oslo.policy Enforcer understands what to do with oslo.context.RequestContext objects. This makes things easier for us because we don't have to call .to_policy_values() before invoking enforcement. Oslo.policy will do it for us. This commit ensures we do this in cinder.policy.enforce() and it adds some tests to make sure cinder.policy.authorize() doesn't regress. Change-Id: Id7f4f81df47763763b83580b4ff10908da86ed18
This commit is contained in:
parent
118da903b1
commit
0c87d14f55
|
@ -79,7 +79,7 @@ def enforce(context, action, target):
|
|||
try:
|
||||
return _ENFORCER.enforce(action,
|
||||
target,
|
||||
context.to_policy_values(),
|
||||
context,
|
||||
do_raise=True,
|
||||
exc=exception.PolicyNotAuthorized,
|
||||
action=action)
|
||||
|
|
|
@ -13,6 +13,7 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
import os.path
|
||||
from unittest import mock
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_config import fixture as config_fixture
|
||||
|
@ -156,3 +157,25 @@ class PolicyTestCase(test.TestCase):
|
|||
policy._ENFORCER.register_defaults([rule])
|
||||
|
||||
self.assertTrue(policy.enforce(project_context, 'foo', {}))
|
||||
|
||||
def test_enforce_passes_context_objects_to_enforcement(self):
|
||||
fake_context = context.RequestContext(roles=['foo'])
|
||||
action = 'foo'
|
||||
target = {}
|
||||
with mock.patch.object(policy._ENFORCER, 'enforce') as fake_enforce:
|
||||
policy.enforce(fake_context, action, target)
|
||||
fake_enforce.assert_called_once_with(
|
||||
action, target, fake_context, do_raise=True,
|
||||
exc=exception.PolicyNotAuthorized, action=action)
|
||||
|
||||
def test_authorize_passes_context_objects_to_enforcement(self):
|
||||
fake_context = context.RequestContext(project_id='fake-project-id',
|
||||
user_id='fake-user-id',
|
||||
roles=['foo'])
|
||||
action = 'foo'
|
||||
target = {'project_id': 'fake-project-id', 'user_id': 'fake-user-id'}
|
||||
with mock.patch.object(policy._ENFORCER, 'authorize') as fake_authz:
|
||||
fake_context.authorize('foo')
|
||||
fake_authz.assert_called_once_with(
|
||||
action, target, fake_context, do_raise=True,
|
||||
exc=exception.PolicyNotAuthorized, action=action)
|
||||
|
|
Loading…
Reference in New Issue