From bd2ff5e8176b56ae2d78ce09f7c4addefe63ef1a Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Sun, 28 Jan 2024 12:01:04 -0800
Subject: [PATCH] Set system scope in oslo policy creds object

In tacker.policy.authorize() method, it convert the context
object to policy value by context.to_policy_values() and then
pass that into oslo.policy enforcer authorize() method.

This is fine till now and does not cause any issue but as per
SRABC, we need to set if token is system scope (for project
scope it is all fine) in oslo policy creds via key 'system'.
But context.to_policy_values() method does not set the 'system'
key in creds because there it is named as `system_scope`.

To fix that we need to explicitly set the 'system' key in creds.

Partial implement blueprint implement-project-personas

Change-Id: I65d28749a4584661f7f4f596c4d2c39a84730963
---
 tacker/policy.py | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/tacker/policy.py b/tacker/policy.py
index 970435f43..b018eb486 100644
--- a/tacker/policy.py
+++ b/tacker/policy.py
@@ -188,6 +188,20 @@ def authorize(context, action, target, do_raise=True, exc=None):
 
     init()
     credentials = context.to_policy_values()
+    # NOTE(gmann): For system, scope token, oslo.policy check
+    # for a key 'system' in creds. The oslo.context library uses
+    # `system_scope` instead. Because we are converting the context
+    # attribute to creds via context.to_policy_values which does not
+    # convert 'system_scope' key. There are two ways to solve this:
+    # 1. Pass full context to oslo.policy and their it convert this key
+    # but Tacker has special case of enhanced policy conversion
+    # (via _pre_enhanced_policy_check(), method which sets its own
+    # key in creds. So passing full context to oslo.policy make enhance
+    # policy conversion more complex.
+    # 2. Set 'system' key in creds explicitly. This is easy and more
+    # readable way.
+    if context.system_scope:
+        credentials['system'] = context.system_scope
     target, credentials = _pre_enhanced_policy_check(target, credentials)
     if not exc:
         exc = exceptions.PolicyNotAuthorized
@@ -197,6 +211,12 @@ def authorize(context, action, target, do_raise=True, exc=None):
     except policy.PolicyNotRegistered:
         with excutils.save_and_reraise_exception():
             LOG.error('Policy not registered')
+    except policy.InvalidScope:
+        LOG.debug('Policy check for %(action)s failed with scope check '
+                  '%(credentials)s',
+                  {'action': action,
+                   'credentials': credentials})
+        raise exc(action=action)
     except Exception:
         with excutils.save_and_reraise_exception():
             LOG.error('Policy check for %(action)s failed with credentials '