diff options
| author | Slawek Kaplonski <skaplons@redhat.com> | 2021-10-05 11:13:39 +0200 |
|---|---|---|
| committer | Slawek Kaplonski <skaplons@redhat.com> | 2021-10-05 11:20:03 +0200 |
| commit | 0aa03fd856fa6ad1481797d6b456271bbbd0e9dc (patch) | |
| tree | 53810dae8582185d391195eca254fc0659c4b988 | |
| parent | fb51982f80572c73fc8dcaf2818a0ad31663a11e (diff) | |
| download | oslo-policy-0aa03fd856fa6ad1481797d6b456271bbbd0e9dc.tar.gz | |
Refactor scope enforcement in the Enforcer class
This patch moves code responsible for scope types enforcement
to the separate method which can be reused in different places,
like e.g. to enforce scope for instances of the BaseCheck class.
Related-Bug: #1923503
Change-Id: I6fd671728582b2f60939764075a8e2a977e78b58
| -rw-r--r-- | oslo_policy/policy.py | 66 |
1 files changed, 34 insertions, 32 deletions
diff --git a/oslo_policy/policy.py b/oslo_policy/policy.py index 53815d6..72a53db 100644 --- a/oslo_policy/policy.py +++ b/oslo_policy/policy.py @@ -1040,40 +1040,9 @@ class Enforcer(object): # as token_scope is not actually a hardcoded # token. - # Check the scope of the operation against the possible scope - # attributes provided in `creds`. - if creds.get('system'): - token_scope = 'system' # nosec - elif creds.get('domain_id'): - token_scope = 'domain' # nosec - else: - # If the token isn't system-scoped or domain-scoped then - # we're dealing with a project-scoped token. - token_scope = 'project' # nosec - registered_rule = self.registered_rules.get(rule) if registered_rule and registered_rule.scope_types: - if token_scope not in registered_rule.scope_types: - if self.conf.oslo_policy.enforce_scope: - raise InvalidScope( - rule, registered_rule.scope_types, token_scope - ) - # If we don't raise an exception we should at least - # inform operators about policies that are being used - # with improper scopes. - msg = ( - 'Policy %(rule)s failed scope check. The token ' - 'used to make the request was %(token_scope)s ' - 'scoped but the policy requires %(policy_scope)s ' - 'scope. This behavior may change in the future ' - 'where using the intended scope is required' % { - 'rule': rule, - 'token_scope': token_scope, - 'policy_scope': registered_rule.scope_types - } - ) - warnings.warn(msg) - + self._enforce_scope(creds, registered_rule) result = _checks._check( rule=to_check, target=target, @@ -1091,6 +1060,39 @@ class Enforcer(object): return result + def _enforce_scope(self, creds, rule): + # Check the scope of the operation against the possible scope + # attributes provided in `creds`. + if creds.get('system'): + token_scope = 'system' # nosec + elif creds.get('domain_id'): + token_scope = 'domain' # nosec + else: + # If the token isn't system-scoped or domain-scoped then + # we're dealing with a project-scoped token. + token_scope = 'project' # nosec + + if token_scope not in rule.scope_types: + if self.conf.oslo_policy.enforce_scope: + raise InvalidScope( + rule, rule.scope_types, token_scope + ) + # If we don't raise an exception we should at least + # inform operators about policies that are being used + # with improper scopes. + msg = ( + 'Policy %(rule)s failed scope check. The token ' + 'used to make the request was %(token_scope)s ' + 'scoped but the policy requires %(policy_scope)s ' + 'scope. This behavior may change in the future ' + 'where using the intended scope is required' % { + 'rule': rule, + 'token_scope': token_scope, + 'policy_scope': rule.scope_types + } + ) + warnings.warn(msg) + def _map_context_attributes_into_creds(self, context): creds = {} # port public context attributes into the creds dictionary so long as |