Properly handle InvalidScope exceptions

Now that we're starting to set scope_types on default policies, we should make sure we handle InvalidScope exceptions from oslo.policy in the event enforce_scope=True. Operators won't use this switch for a while, but it prepares us for when cinder will be system-scope aware. This commit also bumps the minimum version of oslo.policy to 3.6.2, which is safer when running tests in parallel with different policy configurations. Change-Id: I680cb8c4be13bcd3ac6785a7afa81ce5d3477f91
2021-02-16 19:44:51 +00:00 · 2021-02-16 19:44:51 +00:00 · 118da903b1
parent 9fc6fab79d
commit 118da903b1
4 changed files with 36 additions and 8 deletions
--- a/cinder/policy.py
+++ b/cinder/policy.py
@ -76,12 +76,15 @@ def enforce(context, action, target):
    """
    init()

-    return _ENFORCER.enforce(action,
-                             target,
-                             context.to_policy_values(),
-                             do_raise=True,
-                             exc=exception.PolicyNotAuthorized,
-                             action=action)
+    try:
+        return _ENFORCER.enforce(action,
+                                 target,
+                                 context.to_policy_values(),
+                                 do_raise=True,
+                                 exc=exception.PolicyNotAuthorized,
+                                 action=action)
+    except policy.InvalidScope:
+        raise exception.PolicyNotAuthorized(action=action)


 def set_rules(rules, overwrite=True, use_conf=False):
--- a/cinder/tests/unit/test_policy.py
+++ b/cinder/tests/unit/test_policy.py
@ -131,3 +131,28 @@ class PolicyTestCase(test.TestCase):
                                               roles=['AdMiN'])
        policy.authorize(admin_context, lowercase_action, self.target)
        policy.authorize(admin_context, uppercase_action, self.target)
+
+    def test_enforce_properly_handles_invalid_scope_exception(self):
+        self.fixture.config(enforce_scope=True, group='oslo_policy')
+        project_context = context.RequestContext(project_id='fake-project-id',
+                                                 roles=['bar'])
+        policy.reset()
+        policy.init()
+        rule = oslo_policy.RuleDefault('foo', 'role:bar',
+                                       scope_types=['system'])
+        policy._ENFORCER.register_defaults([rule])
+
+        self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
+                          project_context, 'foo', {})
+
+    def test_enforce_does_not_raise_forbidden(self):
+        self.fixture.config(enforce_scope=False, group='oslo_policy')
+        project_context = context.RequestContext(project_id='fake-project-id',
+                                                 roles=['bar'])
+        policy.reset()
+        policy.init()
+        rule = oslo_policy.RuleDefault('foo', 'role:bar',
+                                       scope_types=['system'])
+        policy._ENFORCER.register_defaults([rule])
+
+        self.assertTrue(policy.enforce(project_context, 'foo', {}))
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@ -64,7 +64,7 @@ oslo.i18n==5.0.1
 oslo.log==4.4.0
 oslo.messaging==12.5.0
 oslo.middleware==4.1.1
-oslo.policy==3.6.0
+oslo.policy==3.6.2
 oslo.privsep==2.4.0
 oslo.reports==2.2.0
 oslo.rootwrap==6.2.0
--- a/requirements.txt
+++ b/requirements.txt
@ -21,7 +21,7 @@ oslo.db>=8.4.0 # Apache-2.0
 oslo.log>=4.4.0 # Apache-2.0
 oslo.messaging>=12.5.0 # Apache-2.0
 oslo.middleware>=4.1.1 # Apache-2.0
-oslo.policy>=3.6.0 # Apache-2.0
+oslo.policy>=3.6.2 # Apache-2.0
 oslo.privsep>=2.4.0 # Apache-2.0
 oslo.reports>=2.2.0 # Apache-2.0
 oslo.rootwrap>=6.2.0 # Apache-2.0