Merge "Properly handle InvalidScope exceptions"

2021-03-05 05:29:42 +00:00 · 2021-03-05 05:29:42 +00:00 · beda9428cc
commit beda9428cc
parent 89694d84ef 118da903b1
4 changed files with 36 additions and 8 deletions
--- a/cinder/policy.py
+++ b/cinder/policy.py
@ -76,12 +76,15 @@ def enforce(context, action, target):
    """
    init()

-    return _ENFORCER.enforce(action,
-                             target,
-                             context.to_policy_values(),
-                             do_raise=True,
-                             exc=exception.PolicyNotAuthorized,
-                             action=action)
+    try:
+        return _ENFORCER.enforce(action,
+                                 target,
+                                 context.to_policy_values(),
+                                 do_raise=True,
+                                 exc=exception.PolicyNotAuthorized,
+                                 action=action)
+    except policy.InvalidScope:
+        raise exception.PolicyNotAuthorized(action=action)


 def set_rules(rules, overwrite=True, use_conf=False):
--- a/cinder/tests/unit/test_policy.py
+++ b/cinder/tests/unit/test_policy.py
@ -131,3 +131,28 @@ class PolicyTestCase(test.TestCase):
                                               roles=['AdMiN'])
        policy.authorize(admin_context, lowercase_action, self.target)
        policy.authorize(admin_context, uppercase_action, self.target)
+
+    def test_enforce_properly_handles_invalid_scope_exception(self):
+        self.fixture.config(enforce_scope=True, group='oslo_policy')
+        project_context = context.RequestContext(project_id='fake-project-id',
+                                                 roles=['bar'])
+        policy.reset()
+        policy.init()
+        rule = oslo_policy.RuleDefault('foo', 'role:bar',
+                                       scope_types=['system'])
+        policy._ENFORCER.register_defaults([rule])
+
+        self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
+                          project_context, 'foo', {})
+
+    def test_enforce_does_not_raise_forbidden(self):
+        self.fixture.config(enforce_scope=False, group='oslo_policy')
+        project_context = context.RequestContext(project_id='fake-project-id',
+                                                 roles=['bar'])
+        policy.reset()
+        policy.init()
+        rule = oslo_policy.RuleDefault('foo', 'role:bar',
+                                       scope_types=['system'])
+        policy._ENFORCER.register_defaults([rule])
+
+        self.assertTrue(policy.enforce(project_context, 'foo', {}))
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@ -64,7 +64,7 @@ oslo.i18n==5.0.1
 oslo.log==4.4.0
 oslo.messaging==12.5.0
 oslo.middleware==4.1.1
-oslo.policy==3.6.0
+oslo.policy==3.6.2
 oslo.privsep==2.4.0
 oslo.reports==2.2.0
 oslo.rootwrap==6.2.0
--- a/requirements.txt
+++ b/requirements.txt
@ -21,7 +21,7 @@ oslo.db>=8.4.0 # Apache-2.0
 oslo.log>=4.4.0 # Apache-2.0
 oslo.messaging>=12.5.0 # Apache-2.0
 oslo.middleware>=4.1.1 # Apache-2.0
-oslo.policy>=3.6.0 # Apache-2.0
+oslo.policy>=3.6.2 # Apache-2.0
 oslo.privsep>=2.4.0 # Apache-2.0
 oslo.reports>=2.2.0 # Apache-2.0
 oslo.rootwrap>=6.2.0 # Apache-2.0