Merge "Pass oslo.context RequestContext objects directly to policy enforcement"

2021-02-26 04:59:18 +00:00 · 2021-02-26 04:59:18 +00:00 · bdbad59dc9
parent 63ff5c58ce e6755ebab9
commit bdbad59dc9
3 changed files with 27 additions and 8 deletions
--- a/glance/api/policy.py
+++ b/glance/api/policy.py
@ -66,7 +66,7 @@ class Enforcer(policy.Enforcer):
            raise policy.PolicyNotRegistered(action)
        try:
            return super(Enforcer, self).enforce(action, target,
-                                                 context.to_policy_values(),
+                                                 context,
                                                 do_raise=True,
                                                 exc=exception.Forbidden,
                                                 action=action)
@ -85,7 +85,7 @@ class Enforcer(policy.Enforcer):
            raise policy.PolicyNotRegistered(action)
        return super(Enforcer, self).enforce(action,
                                             target,
-                                             context.to_policy_values())
+                                             context)

    def check_is_admin(self, context):
        """Check if the given context is associated with an admin role,
--- a/glance/context.py
+++ b/glance/context.py
@ -52,12 +52,6 @@ class RequestContext(context.RequestContext):
        })
        return d

-    def to_policy_values(self):
-        pdict = super(RequestContext, self).to_policy_values()
-        pdict['user_id'] = self.user_id
-        pdict['project_id'] = self.project_id
-        return pdict
-
    @classmethod
    def from_dict(cls, values):
        return cls(**values)
--- a/glance/tests/unit/test_policy.py
+++ b/glance/tests/unit/test_policy.py
@ -348,6 +348,31 @@ class TestPolicyEnforcer(base.IsolatedUnitTest):
        self.config(enforce_scope=False, group='oslo_policy')
        self.assertTrue(self._test_enforce_scope())

+    def test_ensure_context_object_is_passed_to_policy_enforcement(self):
+        # The oslo.policy Enforcer does some useful translation for us if we
+        # pass it an oslo.context.RequestContext object. This prevents us from
+        # having to handle the translation to a valid credential dictionary in
+        # glance.
+        context = glance.context.RequestContext()
+        mock_enforcer = self.mock_object(common_policy.Enforcer, 'enforce')
+
+        enforcer = glance.api.policy.Enforcer()
+        enforcer.register_default(
+            common_policy.RuleDefault(name='foo', check_str='role:bar')
+        )
+
+        enforcer.enforce(context, 'foo', {})
+        mock_enforcer.assert_called_once_with('foo', {}, context,
+                                              do_raise=True,
+                                              exc=exception.Forbidden,
+                                              action='foo')
+
+        # Reset the mock and make sure glance.api.policy.Enforcer.check()
+        # behaves the same way.
+        mock_enforcer.reset_mock()
+        enforcer.check(context, 'foo', {})
+        mock_enforcer.assert_called_once_with('foo', {}, context)
+

 class TestPolicyEnforcerNoFile(base.IsolatedUnitTest):