From 2b498e61f427fcc2400bc7b8c94afe0c4281eff6 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Mon, 8 Mar 2021 13:49:37 +0000 Subject: [PATCH] trivial: remove unnecessary grouping in base policies We've broken basic policies into granular checks with simple names and we use them to construct more complex checks. In that process we accidentally added some additional nesting to two of the check strings, which isn't necessary. This commit updates the check strings to remove an extra set of parenthesis. Change-Id: Iafa37d64a9779a3b646c34f328c62dfd6cd3e7f3 --- glance/policies/base.py | 4 ++-- glance/tests/unit/test_policy.py | 12 ++++++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/glance/policies/base.py b/glance/policies/base.py index 046e4557c6..32d1139717 100644 --- a/glance/policies/base.py +++ b/glance/policies/base.py @@ -14,12 +14,12 @@ from oslo_policy import policy # Generic check string for checking if a user is authorized on a particular # project, specifically with the member role. -PROJECT_MEMBER = 'role:member and (project_id:%(project_id)s)' +PROJECT_MEMBER = 'role:member and project_id:%(project_id)s' # Generic check string for checking if a user is authorized on a particular # project but with read-only access. For example, this persona would be able to # list private images owned by a project but cannot make any writeable changes # to those images. -PROJECT_READER = 'role:reader and (project_id:%(project_id)s)' +PROJECT_READER = 'role:reader and project_id:%(project_id)s' # Make sure the member_id of the supplied target matches the project_id from # the context object, which is derived from keystone tokens. diff --git a/glance/tests/unit/test_policy.py b/glance/tests/unit/test_policy.py index 9e77e0645f..4d186dff54 100644 --- a/glance/tests/unit/test_policy.py +++ b/glance/tests/unit/test_policy.py @@ -1062,9 +1062,13 @@ class TestContextPolicyEnforcer(base.IsolatedUnitTest): class TestDefaultPolicyCheckStrings(base.IsolatedUnitTest): def test_project_member_check_string(self): - expected = 'role:member and (project_id:%(project_id)s)' + expected = 'role:member and project_id:%(project_id)s' self.assertEqual(expected, base_policy.PROJECT_MEMBER) + def test_admin_or_project_member_check_string(self): + expected = 'role:admin or (role:member and project_id:%(project_id)s)' + self.assertEqual(expected, base_policy.ADMIN_OR_PROJECT_MEMBER) + def test_project_member_download_image_check_string(self): expected = ( 'role:member and (project_id:%(project_id)s or ' @@ -1077,9 +1081,13 @@ class TestDefaultPolicyCheckStrings(base.IsolatedUnitTest): ) def test_project_reader_check_string(self): - expected = 'role:reader and (project_id:%(project_id)s)' + expected = 'role:reader and project_id:%(project_id)s' self.assertEqual(expected, base_policy.PROJECT_READER) + def test_admin_or_project_reader_check_string(self): + expected = 'role:admin or (role:reader and project_id:%(project_id)s)' + self.assertEqual(expected, base_policy.ADMIN_OR_PROJECT_READER) + def test_project_reader_get_image_check_string(self): expected = ( 'role:reader and (project_id:%(project_id)s or '