diff options
| author | Slawek Kaplonski <skaplons@redhat.com> | 2021-10-05 11:16:04 +0200 |
|---|---|---|
| committer | Slawek Kaplonski <skaplons@redhat.com> | 2021-11-23 21:30:14 +0000 |
| commit | 919c3280aa79762df8475f131a65d12b78ac436e (patch) | |
| tree | a9af15e892cdbc3e9a9982ffc6b35783f7fad7c1 | |
| parent | 1e89f032b7b47cc2a3567da40fc6d5ace10ee768 (diff) | |
| download | oslo-policy-919c3280aa79762df8475f131a65d12b78ac436e.tar.gz | |
Enforce scope check always when rule has scope_types set3.10.1
Previously it was checked only for registered rules but not for
rules which are subclasses of the BaseCheck class.
Now it's checked for all rules which have scope_types set.
It's required for e.g. Neutron as it is creating Check objects based
on the defined policy rules to e.g. include in the check attributes
like network's provider parameters, etc.
Depends-On: https://review.opendev.org/c/openstack/neutron/+/815838
Depends-On: https://review.opendev.org/c/openstack/neutron/+/818725
Closes-Bug: #1923503
Change-Id: I55258c1f999c84220518d1fbbf5e1e514361cebe
| -rw-r--r-- | oslo_policy/policy.py | 2 | ||||
| -rw-r--r-- | oslo_policy/tests/test_policy.py | 16 | ||||
| -rw-r--r-- | releasenotes/notes/enforce-scope-checks-always-when-rule-has-scope_types-8f983cdf70766e4f.yaml | 6 |
3 files changed, 24 insertions, 0 deletions
diff --git a/oslo_policy/policy.py b/oslo_policy/policy.py index 875727f..48bc40f 100644 --- a/oslo_policy/policy.py +++ b/oslo_policy/policy.py @@ -1041,6 +1041,8 @@ class Enforcer(object): if isinstance(rule, _checks.BaseCheck): # If the thing we're given is a Check, we don't know the # name of the rule, so pass None for current_rule. + if rule.scope_types: + self._enforce_scope(creds, rule) result = _checks._check( rule=rule, target=target, diff --git a/oslo_policy/tests/test_policy.py b/oslo_policy/tests/test_policy.py index f24a02e..5dcf868 100644 --- a/oslo_policy/tests/test_policy.py +++ b/oslo_policy/tests/test_policy.py @@ -999,6 +999,22 @@ class EnforcerTest(base.PolicyBaseTestCase): target_dict, ctx ) + def test_enforce_scope_with_subclassed_checks_when_scope_not_set(self): + self.conf.set_override('enforce_scope', True, group='oslo_policy') + rule = _checks.TrueCheck() + rule.scope_types = None + ctx = context.RequestContext(system_scope='all', roles=['admin']) + self.enforcer.enforce(rule, {}, ctx) + + def test_enforcer_raises_invalid_scope_with_subclassed_checks(self): + self.conf.set_override('enforce_scope', True, group='oslo_policy') + rule = _checks.TrueCheck() + rule.scope_types = ['domain'] + ctx = context.RequestContext(system_scope='all', roles=['admin']) + self.assertRaises( + policy.InvalidScope, + self.enforcer.enforce, rule, {}, ctx) + class EnforcerNoPolicyFileTest(base.PolicyBaseTestCase): def setUp(self): diff --git a/releasenotes/notes/enforce-scope-checks-always-when-rule-has-scope_types-8f983cdf70766e4f.yaml b/releasenotes/notes/enforce-scope-checks-always-when-rule-has-scope_types-8f983cdf70766e4f.yaml new file mode 100644 index 0000000..d13c523 --- /dev/null +++ b/releasenotes/notes/enforce-scope-checks-always-when-rule-has-scope_types-8f983cdf70766e4f.yaml @@ -0,0 +1,6 @@ +--- +other: + - | + Scope check is enforced for all rules, registered ones as well as the ones + which are subclasses of the ``BaseCheck`` class if rule has ``scope_types`` + set. |