diff options
author | Zuul <zuul@review.opendev.org> | 2021-10-25 14:02:35 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2021-10-25 14:02:35 +0000 |
commit | 4ecbcf280ad008f17ab4a72bc56a9793c32f7dc7 (patch) | |
tree | 15f4f917a467146b03a590bf9c5406710e5a4de7 | |
parent | cce180d37237f275be7ffb7179893ee475c8a561 (diff) | |
parent | 0aa03fd856fa6ad1481797d6b456271bbbd0e9dc (diff) | |
download | oslo-policy-4ecbcf280ad008f17ab4a72bc56a9793c32f7dc7.tar.gz |
Merge "Refactor scope enforcement in the Enforcer class"3.10.0
-rw-r--r-- | oslo_policy/policy.py | 66 |
1 files changed, 34 insertions, 32 deletions
diff --git a/oslo_policy/policy.py b/oslo_policy/policy.py index 49008e8..875727f 100644 --- a/oslo_policy/policy.py +++ b/oslo_policy/policy.py @@ -1063,40 +1063,9 @@ class Enforcer(object): # as token_scope is not actually a hardcoded # token. - # Check the scope of the operation against the possible scope - # attributes provided in `creds`. - if creds.get('system'): - token_scope = 'system' # nosec - elif creds.get('domain_id'): - token_scope = 'domain' # nosec - else: - # If the token isn't system-scoped or domain-scoped then - # we're dealing with a project-scoped token. - token_scope = 'project' # nosec - registered_rule = self.registered_rules.get(rule) if registered_rule and registered_rule.scope_types: - if token_scope not in registered_rule.scope_types: - if self.conf.oslo_policy.enforce_scope: - raise InvalidScope( - rule, registered_rule.scope_types, token_scope - ) - # If we don't raise an exception we should at least - # inform operators about policies that are being used - # with improper scopes. - msg = ( - 'Policy %(rule)s failed scope check. The token ' - 'used to make the request was %(token_scope)s ' - 'scoped but the policy requires %(policy_scope)s ' - 'scope. This behavior may change in the future ' - 'where using the intended scope is required' % { - 'rule': rule, - 'token_scope': token_scope, - 'policy_scope': registered_rule.scope_types - } - ) - warnings.warn(msg) - + self._enforce_scope(creds, registered_rule) result = _checks._check( rule=to_check, target=target, @@ -1114,6 +1083,39 @@ class Enforcer(object): return result + def _enforce_scope(self, creds, rule): + # Check the scope of the operation against the possible scope + # attributes provided in `creds`. + if creds.get('system'): + token_scope = 'system' # nosec + elif creds.get('domain_id'): + token_scope = 'domain' # nosec + else: + # If the token isn't system-scoped or domain-scoped then + # we're dealing with a project-scoped token. + token_scope = 'project' # nosec + + if token_scope not in rule.scope_types: + if self.conf.oslo_policy.enforce_scope: + raise InvalidScope( + rule, rule.scope_types, token_scope + ) + # If we don't raise an exception we should at least + # inform operators about policies that are being used + # with improper scopes. + msg = ( + 'Policy %(rule)s failed scope check. The token ' + 'used to make the request was %(token_scope)s ' + 'scoped but the policy requires %(policy_scope)s ' + 'scope. This behavior may change in the future ' + 'where using the intended scope is required' % { + 'rule': rule, + 'token_scope': token_scope, + 'policy_scope': rule.scope_types + } + ) + warnings.warn(msg) + def _map_context_attributes_into_creds(self, context): creds = {} # port public context attributes into the creds dictionary so long as |