Use to_policy_values for policy enforcement

Use the common policy values for all services when enforcing policy
decisions. We add all possibly used policy values to maintain backwards
compatibility.

Change-Id: Ie1d0739ab4dfb0654d8767693dbdba5cd52a30b2
Closes-Bug: #1602081
This commit is contained in:
Jamie Lennox 2016-09-15 10:07:18 +10:00 committed by Ihar Hrachyshka
parent 57cb661869
commit 2e621eeb1c
3 changed files with 48 additions and 3 deletions

View File

@ -91,6 +91,26 @@ class ContextBase(oslo_context.RequestContext):
})
return context
def to_policy_values(self):
values = super(ContextBase, self).to_policy_values()
values['tenant_id'] = self.tenant_id
values['is_admin'] = self.is_admin
# NOTE(jamielennox): These are almost certainly unused and non-standard
# but kept for backwards compatibility. Remove them in Pike
# (oslo.context from Ocata release already issues deprecation warnings
# for non-standard keys).
values['user'] = self.user
values['tenant'] = self.tenant
values['domain'] = self.domain
values['user_domain'] = self.user_domain
values['project_domain'] = self.project_domain
values['tenant_name'] = self.tenant_name
values['project_name'] = self.tenant_name
values['user_name'] = self.user_name
return values
@classmethod
def from_dict(cls, values):
return cls(user_id=values.get('user_id', values.get('user')),

View File

@ -321,7 +321,7 @@ def _prepare_check(context, action, target, pluralized):
if target is None:
target = {}
match_rule = _build_match_rule(action, target, pluralized)
credentials = context.to_dict()
credentials = context.to_policy_values()
return match_rule, target, credentials
@ -410,7 +410,7 @@ def check_is_admin(context):
"""Verify context has admin rights according to policy settings."""
init()
# the target is user-self
credentials = context.to_dict()
credentials = context.to_policy_values()
if ADMIN_CTX_POLICY not in _ENFORCER.rules:
return False
return _ENFORCER.enforce(ADMIN_CTX_POLICY, credentials, credentials)
@ -420,7 +420,7 @@ def check_is_advsvc(context):
"""Verify context has advsvc rights according to policy settings."""
init()
# the target is user-self
credentials = context.to_dict()
credentials = context.to_policy_values()
if ADVSVC_CTX_POLICY not in _ENFORCER.rules:
return False
return _ENFORCER.enforce(ADVSVC_CTX_POLICY, credentials, credentials)

View File

@ -142,3 +142,28 @@ class TestNeutronContext(base.BaseTestCase):
ctx_admin = context.get_admin_context()
self.assertEqual(req_id_before, oslo_context.get_current().request_id)
self.assertNotEqual(req_id_before, ctx_admin.request_id)
def test_to_policy_values(self):
values = {
'user_id': 'user_id',
'tenant_id': 'tenant_id',
'is_admin': 'is_admin',
'tenant_name': 'tenant_name',
'user_name': 'user_name',
'domain': 'domain',
'user_domain': 'user_domain',
'project_domain': 'project_domain',
'user_name': 'user_name',
}
additional_values = {
'user': 'user_id',
'tenant': 'tenant_id',
'project_id': 'tenant_id',
'project_name': 'tenant_name',
}
ctx = context.Context(**values)
# apply dict() to get a real dictionary, needed for newer oslo.context
# that returns _DeprecatedPolicyValues object instead
policy_values = dict(ctx.to_policy_values())
self.assertDictSupersetOf(values, policy_values)
self.assertDictSupersetOf(additional_values, policy_values)