Merge "Pass oslo.context RequestContext objects directly to policy enforcement"
This commit is contained in:
commit
bdbad59dc9
|
@ -66,7 +66,7 @@ class Enforcer(policy.Enforcer):
|
|||
raise policy.PolicyNotRegistered(action)
|
||||
try:
|
||||
return super(Enforcer, self).enforce(action, target,
|
||||
context.to_policy_values(),
|
||||
context,
|
||||
do_raise=True,
|
||||
exc=exception.Forbidden,
|
||||
action=action)
|
||||
|
@ -85,7 +85,7 @@ class Enforcer(policy.Enforcer):
|
|||
raise policy.PolicyNotRegistered(action)
|
||||
return super(Enforcer, self).enforce(action,
|
||||
target,
|
||||
context.to_policy_values())
|
||||
context)
|
||||
|
||||
def check_is_admin(self, context):
|
||||
"""Check if the given context is associated with an admin role,
|
||||
|
|
|
@ -52,12 +52,6 @@ class RequestContext(context.RequestContext):
|
|||
})
|
||||
return d
|
||||
|
||||
def to_policy_values(self):
|
||||
pdict = super(RequestContext, self).to_policy_values()
|
||||
pdict['user_id'] = self.user_id
|
||||
pdict['project_id'] = self.project_id
|
||||
return pdict
|
||||
|
||||
@classmethod
|
||||
def from_dict(cls, values):
|
||||
return cls(**values)
|
||||
|
|
|
@ -348,6 +348,31 @@ class TestPolicyEnforcer(base.IsolatedUnitTest):
|
|||
self.config(enforce_scope=False, group='oslo_policy')
|
||||
self.assertTrue(self._test_enforce_scope())
|
||||
|
||||
def test_ensure_context_object_is_passed_to_policy_enforcement(self):
|
||||
# The oslo.policy Enforcer does some useful translation for us if we
|
||||
# pass it an oslo.context.RequestContext object. This prevents us from
|
||||
# having to handle the translation to a valid credential dictionary in
|
||||
# glance.
|
||||
context = glance.context.RequestContext()
|
||||
mock_enforcer = self.mock_object(common_policy.Enforcer, 'enforce')
|
||||
|
||||
enforcer = glance.api.policy.Enforcer()
|
||||
enforcer.register_default(
|
||||
common_policy.RuleDefault(name='foo', check_str='role:bar')
|
||||
)
|
||||
|
||||
enforcer.enforce(context, 'foo', {})
|
||||
mock_enforcer.assert_called_once_with('foo', {}, context,
|
||||
do_raise=True,
|
||||
exc=exception.Forbidden,
|
||||
action='foo')
|
||||
|
||||
# Reset the mock and make sure glance.api.policy.Enforcer.check()
|
||||
# behaves the same way.
|
||||
mock_enforcer.reset_mock()
|
||||
enforcer.check(context, 'foo', {})
|
||||
mock_enforcer.assert_called_once_with('foo', {}, context)
|
||||
|
||||
|
||||
class TestPolicyEnforcerNoFile(base.IsolatedUnitTest):
|
||||
|
||||
|
|
Loading…
Reference in New Issue