From 2e621eeb1cdfae5ceb3c83eb6befcb954f0b6cec Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Thu, 15 Sep 2016 10:07:18 +1000 Subject: [PATCH] Use to_policy_values for policy enforcement Use the common policy values for all services when enforcing policy decisions. We add all possibly used policy values to maintain backwards compatibility. Change-Id: Ie1d0739ab4dfb0654d8767693dbdba5cd52a30b2 Closes-Bug: #1602081 --- neutron/context.py | 20 ++++++++++++++++++++ neutron/policy.py | 6 +++--- neutron/tests/unit/test_context.py | 25 +++++++++++++++++++++++++ 3 files changed, 48 insertions(+), 3 deletions(-) diff --git a/neutron/context.py b/neutron/context.py index 18e26ecb76c..b9babba3b4c 100644 --- a/neutron/context.py +++ b/neutron/context.py @@ -91,6 +91,26 @@ class ContextBase(oslo_context.RequestContext): }) return context + def to_policy_values(self): + values = super(ContextBase, self).to_policy_values() + values['tenant_id'] = self.tenant_id + values['is_admin'] = self.is_admin + + # NOTE(jamielennox): These are almost certainly unused and non-standard + # but kept for backwards compatibility. Remove them in Pike + # (oslo.context from Ocata release already issues deprecation warnings + # for non-standard keys). + values['user'] = self.user + values['tenant'] = self.tenant + values['domain'] = self.domain + values['user_domain'] = self.user_domain + values['project_domain'] = self.project_domain + values['tenant_name'] = self.tenant_name + values['project_name'] = self.tenant_name + values['user_name'] = self.user_name + + return values + @classmethod def from_dict(cls, values): return cls(user_id=values.get('user_id', values.get('user')), diff --git a/neutron/policy.py b/neutron/policy.py index 19541a99218..d5d9ecaa579 100644 --- a/neutron/policy.py +++ b/neutron/policy.py @@ -321,7 +321,7 @@ def _prepare_check(context, action, target, pluralized): if target is None: target = {} match_rule = _build_match_rule(action, target, pluralized) - credentials = context.to_dict() + credentials = context.to_policy_values() return match_rule, target, credentials @@ -410,7 +410,7 @@ def check_is_admin(context): """Verify context has admin rights according to policy settings.""" init() # the target is user-self - credentials = context.to_dict() + credentials = context.to_policy_values() if ADMIN_CTX_POLICY not in _ENFORCER.rules: return False return _ENFORCER.enforce(ADMIN_CTX_POLICY, credentials, credentials) @@ -420,7 +420,7 @@ def check_is_advsvc(context): """Verify context has advsvc rights according to policy settings.""" init() # the target is user-self - credentials = context.to_dict() + credentials = context.to_policy_values() if ADVSVC_CTX_POLICY not in _ENFORCER.rules: return False return _ENFORCER.enforce(ADVSVC_CTX_POLICY, credentials, credentials) diff --git a/neutron/tests/unit/test_context.py b/neutron/tests/unit/test_context.py index 362f13e84e9..ec15e33ecf4 100644 --- a/neutron/tests/unit/test_context.py +++ b/neutron/tests/unit/test_context.py @@ -142,3 +142,28 @@ class TestNeutronContext(base.BaseTestCase): ctx_admin = context.get_admin_context() self.assertEqual(req_id_before, oslo_context.get_current().request_id) self.assertNotEqual(req_id_before, ctx_admin.request_id) + + def test_to_policy_values(self): + values = { + 'user_id': 'user_id', + 'tenant_id': 'tenant_id', + 'is_admin': 'is_admin', + 'tenant_name': 'tenant_name', + 'user_name': 'user_name', + 'domain': 'domain', + 'user_domain': 'user_domain', + 'project_domain': 'project_domain', + 'user_name': 'user_name', + } + additional_values = { + 'user': 'user_id', + 'tenant': 'tenant_id', + 'project_id': 'tenant_id', + 'project_name': 'tenant_name', + } + ctx = context.Context(**values) + # apply dict() to get a real dictionary, needed for newer oslo.context + # that returns _DeprecatedPolicyValues object instead + policy_values = dict(ctx.to_policy_values()) + self.assertDictSupersetOf(values, policy_values) + self.assertDictSupersetOf(additional_values, policy_values)