openstack/oslo.policy
Code Issues Proposed changes

Enforce scope check always when rule has scope_types set

Browse Source 
Previously it was checked only for registered rules but not for
rules which are subclasses of the BaseCheck class.
Now it's checked for all rules which have scope_types set.

It's required for e.g. Neutron as it is creating Check objects based
on the defined policy rules to e.g. include in the check attributes
like network's provider parameters, etc.

Depends-On: https://review.opendev.org/c/openstack/neutron/+/815838
Depends-On: https://review.opendev.org/c/openstack/neutron/+/818725

Closes-Bug: #1923503
Change-Id: I55258c1f999c84220518d1fbbf5e1e514361cebe
This commit is contained in:
Slawek Kaplonski 2021-10-05 11:16:04 +02:00
parent 1e89f032b7
commit 919c3280aa
3 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
oslo_policy/policy.py
View File

@ -1041,6 +1041,8 @@ class Enforcer(object):
if isinstance(rule, _checks.BaseCheck):
# If the thing we're given is a Check, we don't know the
# name of the rule, so pass None for current_rule.
if rule.scope_types:
self._enforce_scope(creds, rule)
result = _checks._check(
rule=rule,
target=target,

16
oslo_policy/tests/test_policy.py
View File

@ -999,6 +999,22 @@ class EnforcerTest(base.PolicyBaseTestCase):
target_dict, ctx
)
def test_enforce_scope_with_subclassed_checks_when_scope_not_set(self):
self.conf.set_override('enforce_scope', True, group='oslo_policy')
rule = _checks.TrueCheck()
rule.scope_types = None
ctx = context.RequestContext(system_scope='all', roles=['admin'])
self.enforcer.enforce(rule, {}, ctx)
def test_enforcer_raises_invalid_scope_with_subclassed_checks(self):
self.conf.set_override('enforce_scope', True, group='oslo_policy')
rule = _checks.TrueCheck()
rule.scope_types = ['domain']
ctx = context.RequestContext(system_scope='all', roles=['admin'])
self.assertRaises(
policy.InvalidScope,
self.enforcer.enforce, rule, {}, ctx)
class EnforcerNoPolicyFileTest(base.PolicyBaseTestCase):
def setUp(self):

6
releasenotes/notes/enforce-scope-checks-always-when-rule-has-scope_types-8f983cdf70766e4f.yaml Normal file
View File

@ -0,0 +1,6 @@
---
other:
- |
Scope check is enforced for all rules, registered ones as well as the ones
which are subclasses of the ``BaseCheck`` class if rule has ``scope_types``
set.