Allow an action if no policy exists for it and there is no default policy.pike-em 3.6.1

This is a special cherry-pick from horizon master branch as openstack_auth was merged into horizon in Queens. Closes-bug: 1739108 (cherry picked from commit 54365d7ef1007b3c8373ecb4e591c7f899dbeb98) Change-Id: I94b54b84e22f9c9f0f38adff087c465b558e5e2a
author: Vladislav Kuzmin <vkuzmin@mirantis.com> 2018-05-15 14:10:01 +0400
committer: Vladislav Kuzmin <vkuzmin@mirantis.com> 2018-05-22 18:19:38 +0000
commit: ddcfe7a6d4db1b476254b556057756eadd7b097d (patch)
tree: c2a1c6cc454969e29a9da678678cd18f448bbf09
parent: b25c1150e54b8c3794b3fba092d61301bfe57fd1 (diff)
download: django_openstack_auth-3.6.1.tar.gz
4 files changed, 69 insertions, 1 deletions
diff --git a/openstack_auth/policy.py b/openstack_auth/policy.py
index 81fc7c2..1349869 100644
--- a/openstack_auth/policy.py
+++ b/openstack_auth/policy.py
@@ -181,7 +181,8 @@ def _check_credentials(enforcer_scope, action, target, credentials):
         # enforce loads the rules
         if action not in enforcer_scope.rules:
             if not enforcer_scope.enforce('default', target, credentials):
-                is_valid = False
+                if 'default' in enforcer_scope.rules:
+                    is_valid = False
         else:
             is_valid = False
     return is_valid
diff --git a/openstack_auth/tests/conf/no_default_policy.json b/openstack_auth/tests/conf/no_default_policy.json
new file mode 100644
index 0000000..07cd8c1
--- /dev/null
+++ b/openstack_auth/tests/conf/no_default_policy.json
@@ -0,0 +1,3 @@
+{
+    "no_default:action": ""
+}
diff --git a/openstack_auth/tests/conf/with_default_policy.json b/openstack_auth/tests/conf/with_default_policy.json
new file mode 100644
index 0000000..42e6bfc
--- /dev/null
+++ b/openstack_auth/tests/conf/with_default_policy.json
@@ -0,0 +1,4 @@
+{
+    "with_default:action": "",
+    "default": "role:admin"
+}
diff --git a/openstack_auth/tests/tests.py b/openstack_auth/tests/tests.py
index 78edc8f..d4923f2 100644
--- a/openstack_auth/tests/tests.py
+++ b/openstack_auth/tests/tests.py
@@ -1343,6 +1343,66 @@ class PolicyTestCaseNonAdmin(PolicyTestCase):
         self.assertTrue(value)
 
 
+class PolicyTestCheckCredentials(PolicyTestCase):
+    _roles = [{'id': '1', 'name': 'member'}]
+
+    def setUp(self):
+        policy_files = {
+            'no_default': 'no_default_policy.json',
+            'with_default': 'with_default_policy.json',
+        }
+
+        override = self.settings(POLICY_FILES=policy_files)
+        override.enable()
+        self.addCleanup(override.disable)
+
+        mock_user = user.User(id=1, roles=self._roles,
+                              user_domain_id='admin_domain_id')
+        patcher = mock.patch('openstack_auth.utils.get_user',
+                             return_value=mock_user)
+        self.MockClass = patcher.start()
+        self.addCleanup(patcher.stop)
+        self.request = http.HttpRequest()
+
+    def test_check_credentials(self):
+        policy.reset()
+        enforcer = policy._get_enforcer()
+        scope = enforcer['no_default']
+        user = utils.get_user()
+        credentials = policy._user_to_credentials(user)
+        target = {
+            'project_id': user.project_id,
+            'tenant_id': user.project_id,
+            'user_id': user.id,
+            'domain_id': user.user_domain_id,
+            'user.domain_id': user.user_domain_id,
+            'group.domain_id': user.user_domain_id,
+            'project.domain_id': user.user_domain_id,
+        }
+        is_valid = policy._check_credentials(scope, 'action', target,
+                                             credentials)
+        self.assertTrue(is_valid)
+
+    def test_check_credentials_default(self):
+        policy.reset()
+        enforcer = policy._get_enforcer()
+        scope = enforcer['with_default']
+        user = utils.get_user()
+        credentials = policy._user_to_credentials(user)
+        target = {
+            'project_id': user.project_id,
+            'tenant_id': user.project_id,
+            'user_id': user.id,
+            'domain_id': user.user_domain_id,
+            'user.domain_id': user.user_domain_id,
+            'group.domain_id': user.user_domain_id,
+            'project.domain_id': user.user_domain_id,
+        }
+        is_valid = policy._check_credentials(scope, 'action', target,
+                                             credentials)
+        self.assertFalse(is_valid)
+
+
 class PolicyTestCaseAdmin(PolicyTestCase):
     _roles = [{'id': '1', 'name': 'admin'}]
author	Vladislav Kuzmin <vkuzmin@mirantis.com>	2018-05-15 14:10:01 +0400
committer	Vladislav Kuzmin <vkuzmin@mirantis.com>	2018-05-22 18:19:38 +0000
commit	ddcfe7a6d4db1b476254b556057756eadd7b097d (patch)
tree	c2a1c6cc454969e29a9da678678cd18f448bbf09
parent	b25c1150e54b8c3794b3fba092d61301bfe57fd1 (diff)
download	django_openstack_auth-3.6.1.tar.gz