Pass RequestContext to oslo_policy

In nova.policy.authorize() method, it convert the context object to policy value by context.to_policy_values() and then pass that into oslo.policy enforcer authorize() method. This is fine till now and does not cause any issue but when scope_type is set on policy and context then scope info is not passed correctly. In case of system scope, oslo.policy check for a key called 'system' in creds. The oslo.context library uses `system_scope` instead[1], and the compatibility between both oslo.policy and oslo.context are handled when complete context is passed into oslo_policy[2]. If nova convert the context object to policy values then system scope info is not passed into the oslo_policy. Better way is to pass the complete context object to oslo_policy and let oslo_policy fetch the system scope info in correct way. Update the lower constraints for oslo.policy and oslo.context to have system scope checks feature. Partial implement blueprint policy-defaults-refresh [1] f65408df5c/oslo_context/context.py (L321) [2] b9fd10e261/oslo_policy/policy.py (L994) Change-Id: I847fc44e62065e3d26e5595e178b83912ab5d19b
2019-08-01 13:43:30 +00:00 · 2019-08-01 13:43:30 +00:00 · 55ae1a5d53
parent 9742a64403
commit 55ae1a5d53
4 changed files with 31 additions and 10 deletions
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@ -76,13 +76,13 @@ osc-lib==1.10.0
 oslo.cache==1.26.0
 oslo.concurrency==3.26.0
 oslo.config==6.1.0
-oslo.context==2.19.2
+oslo.context==2.21.0
 oslo.db==4.44.0
 oslo.i18n==3.15.3
 oslo.log==3.36.0
 oslo.messaging==7.0.0
 oslo.middleware==3.31.0
-oslo.policy==1.35.0
+oslo.policy==1.38.0
 oslo.privsep==1.33.2
 oslo.reports==1.18.0
 oslo.rootwrap==5.8.0
--- a/nova/policy.py
+++ b/nova/policy.py
@ -153,7 +153,6 @@ def authorize(context, action, target=None, do_raise=True, exc=None):
           do_raise is False.
    """
    init()
-    credentials = context.to_policy_values()
    if not exc:
        exc = exception.PolicyNotAuthorized

@ -163,16 +162,23 @@ def authorize(context, action, target=None, do_raise=True, exc=None):
        target = default_target(context)

    try:
-        result = _ENFORCER.authorize(action, target, credentials,
+        result = _ENFORCER.authorize(action, target, context,
                                     do_raise=do_raise, exc=exc, action=action)
    except policy.PolicyNotRegistered:
        with excutils.save_and_reraise_exception():
            LOG.exception(_LE('Policy not registered'))
+    except policy.InvalidScope:
+        LOG.debug('Policy check for %(action)s failed with scope check '
+                  '%(credentials)s',
+                  {'action': action,
+                   'credentials': context.to_policy_values()})
+        raise exc(action=action)
    except Exception:
        with excutils.save_and_reraise_exception():
            LOG.debug('Policy check for %(action)s failed with credentials '
                      '%(credentials)s',
-                      {'action': action, 'credentials': credentials})
+                      {'action': action,
+                       'credentials': context.to_policy_values()})
    return result


@ -187,9 +193,8 @@ def check_is_admin(context):

    init()
    # the target is user-self
-    credentials = context.to_policy_values()
    target = default_target(context)
-    return _ENFORCER.authorize('context_is_admin', target, credentials)
+    return _ENFORCER.authorize('context_is_admin', target, context)


@policy.register('is_admin')
--- a/nova/tests/unit/test_policy.py
+++ b/nova/tests/unit/test_policy.py
@ -185,6 +185,22 @@ class PolicyTestCase(test.NoDBTestCase):
                "project_id:%(project_id)s")])
        mock_warning.assert_not_called()

+    @requests_mock.mock()
+    def test_authorize_raise_invalid_scope(self, req_mock):
+        req_mock.post('http://www.example.com/',
+                      text='False')
+        action = "example:get_http"
+        target = {}
+        with mock.patch('oslo_policy.policy.Enforcer.authorize') as auth_mock:
+            auth_mock.side_effect = oslo_policy.InvalidScope(
+                action, self.context.system_scope, 'invalid_scope')
+            exc = self.assertRaises(exception.PolicyNotAuthorized,
+                                    policy.authorize, self.context,
+                                    action, target)
+            self.assertEqual(
+                "Policy doesn't allow %s to be performed." % action,
+                exc.format_message())
+
    @mock.patch.object(policy.LOG, 'warning')
    def test_verify_deprecated_policy_using_old_action(self, mock_warning):

@ -256,7 +272,7 @@ class IsAdminCheckTestCase(test.NoDBTestCase):
        mock_auth.assert_called_once_with(
            'context_is_admin',
            {'user_id': 'fake-user', 'project_id': 'fake-project'},
-            ctxt.to_policy_values())
+            ctxt)


 class AdminRolePolicyTestCase(test.NoDBTestCase):
--- a/requirements.txt
+++ b/requirements.txt
@ -37,7 +37,7 @@ websockify>=0.8.0 # LGPLv3
 oslo.cache>=1.26.0 # Apache-2.0
 oslo.concurrency>=3.26.0 # Apache-2.0
 oslo.config>=6.1.0 # Apache-2.0
-oslo.context>=2.19.2 # Apache-2.0
+oslo.context>=2.21.0 # Apache-2.0
 oslo.log>=3.36.0 # Apache-2.0
 oslo.reports>=1.18.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=2.21.1 # Apache-2.0
@ -46,7 +46,7 @@ oslo.utils>=3.40.2 # Apache-2.0
 oslo.db>=4.44.0 # Apache-2.0
 oslo.rootwrap>=5.8.0 # Apache-2.0
 oslo.messaging>=7.0.0 # Apache-2.0
-oslo.policy>=1.35.0 # Apache-2.0
+oslo.policy>=1.38.0 # Apache-2.0
 oslo.privsep>=1.33.2 # Apache-2.0
 oslo.i18n>=3.15.3 # Apache-2.0
 oslo.service>=1.40.1 # Apache-2.0