Fix api.keystone.is_cloud_admin/is_domain_admin handling with new policies
Allow an action if no policy exists for it and there is no default policy. Change-Id: Ief6dc5ff15a83c70ee171774d1bfc6470c0863d1 Closes-bug: 1739108
This commit is contained in:
parent
98d0714939
commit
54365d7ef1
@ -188,6 +188,7 @@ def _check_credentials(enforcer_scope, action, target, credentials):
|
||||
# enforce loads the rules
|
||||
if action not in enforcer_scope.rules:
|
||||
if not enforcer_scope.enforce('default', target, credentials):
|
||||
if 'default' in enforcer_scope.rules:
|
||||
is_valid = False
|
||||
else:
|
||||
is_valid = False
|
||||
|
3
openstack_auth/tests/conf/no_default_policy.json
Normal file
3
openstack_auth/tests/conf/no_default_policy.json
Normal file
@ -0,0 +1,3 @@
|
||||
{
|
||||
"no_default:action": ""
|
||||
}
|
4
openstack_auth/tests/conf/with_default_policy.json
Normal file
4
openstack_auth/tests/conf/with_default_policy.json
Normal file
@ -0,0 +1,4 @@
|
||||
{
|
||||
"with_default:action": "",
|
||||
"default": "role:admin"
|
||||
}
|
@ -17,6 +17,7 @@ import mock
|
||||
|
||||
from openstack_auth import policy
|
||||
from openstack_auth import user
|
||||
from openstack_auth import utils
|
||||
|
||||
|
||||
class PolicyLoaderTestCase(test.TestCase):
|
||||
@ -83,6 +84,66 @@ class PolicyTestCaseNonAdmin(PolicyTestCase):
|
||||
self.assertTrue(value)
|
||||
|
||||
|
||||
class PolicyTestCheckCredentials(PolicyTestCase):
|
||||
_roles = [{'id': '1', 'name': 'member'}]
|
||||
|
||||
def setUp(self):
|
||||
policy_files = {
|
||||
'no_default': 'no_default_policy.json',
|
||||
'with_default': 'with_default_policy.json',
|
||||
}
|
||||
|
||||
override = self.settings(POLICY_FILES=policy_files)
|
||||
override.enable()
|
||||
self.addCleanup(override.disable)
|
||||
|
||||
mock_user = user.User(id=1, roles=self._roles,
|
||||
user_domain_id='admin_domain_id')
|
||||
patcher = mock.patch('openstack_auth.utils.get_user',
|
||||
return_value=mock_user)
|
||||
self.MockClass = patcher.start()
|
||||
self.addCleanup(patcher.stop)
|
||||
self.request = http.HttpRequest()
|
||||
|
||||
def test_check_credentials(self):
|
||||
policy.reset()
|
||||
enforcer = policy._get_enforcer()
|
||||
scope = enforcer['no_default']
|
||||
user = utils.get_user()
|
||||
credentials = policy._user_to_credentials(user)
|
||||
target = {
|
||||
'project_id': user.project_id,
|
||||
'tenant_id': user.project_id,
|
||||
'user_id': user.id,
|
||||
'domain_id': user.user_domain_id,
|
||||
'user.domain_id': user.user_domain_id,
|
||||
'group.domain_id': user.user_domain_id,
|
||||
'project.domain_id': user.user_domain_id,
|
||||
}
|
||||
is_valid = policy._check_credentials(scope, 'action', target,
|
||||
credentials)
|
||||
self.assertTrue(is_valid)
|
||||
|
||||
def test_check_credentials_default(self):
|
||||
policy.reset()
|
||||
enforcer = policy._get_enforcer()
|
||||
scope = enforcer['with_default']
|
||||
user = utils.get_user()
|
||||
credentials = policy._user_to_credentials(user)
|
||||
target = {
|
||||
'project_id': user.project_id,
|
||||
'tenant_id': user.project_id,
|
||||
'user_id': user.id,
|
||||
'domain_id': user.user_domain_id,
|
||||
'user.domain_id': user.user_domain_id,
|
||||
'group.domain_id': user.user_domain_id,
|
||||
'project.domain_id': user.user_domain_id,
|
||||
}
|
||||
is_valid = policy._check_credentials(scope, 'action', target,
|
||||
credentials)
|
||||
self.assertFalse(is_valid)
|
||||
|
||||
|
||||
class PolicyTestCaseAdmin(PolicyTestCase):
|
||||
_roles = [{'id': '1', 'name': 'admin'}]
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user