From 118da903b1ff15805ae2efaf397d139145e1cf0c Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Tue, 16 Feb 2021 19:44:51 +0000 Subject: [PATCH] Properly handle InvalidScope exceptions Now that we're starting to set scope_types on default policies, we should make sure we handle InvalidScope exceptions from oslo.policy in the event enforce_scope=True. Operators won't use this switch for a while, but it prepares us for when cinder will be system-scope aware. This commit also bumps the minimum version of oslo.policy to 3.6.2, which is safer when running tests in parallel with different policy configurations. Change-Id: I680cb8c4be13bcd3ac6785a7afa81ce5d3477f91 --- cinder/policy.py | 15 +++++++++------ cinder/tests/unit/test_policy.py | 25 +++++++++++++++++++++++++ lower-constraints.txt | 2 +- requirements.txt | 2 +- 4 files changed, 36 insertions(+), 8 deletions(-) diff --git a/cinder/policy.py b/cinder/policy.py index 17f4f815324..1e848344984 100644 --- a/cinder/policy.py +++ b/cinder/policy.py @@ -76,12 +76,15 @@ def enforce(context, action, target): """ init() - return _ENFORCER.enforce(action, - target, - context.to_policy_values(), - do_raise=True, - exc=exception.PolicyNotAuthorized, - action=action) + try: + return _ENFORCER.enforce(action, + target, + context.to_policy_values(), + do_raise=True, + exc=exception.PolicyNotAuthorized, + action=action) + except policy.InvalidScope: + raise exception.PolicyNotAuthorized(action=action) def set_rules(rules, overwrite=True, use_conf=False): diff --git a/cinder/tests/unit/test_policy.py b/cinder/tests/unit/test_policy.py index 5901d439c27..bac57f8fc61 100644 --- a/cinder/tests/unit/test_policy.py +++ b/cinder/tests/unit/test_policy.py @@ -131,3 +131,28 @@ class PolicyTestCase(test.TestCase): roles=['AdMiN']) policy.authorize(admin_context, lowercase_action, self.target) policy.authorize(admin_context, uppercase_action, self.target) + + def test_enforce_properly_handles_invalid_scope_exception(self): + self.fixture.config(enforce_scope=True, group='oslo_policy') + project_context = context.RequestContext(project_id='fake-project-id', + roles=['bar']) + policy.reset() + policy.init() + rule = oslo_policy.RuleDefault('foo', 'role:bar', + scope_types=['system']) + policy._ENFORCER.register_defaults([rule]) + + self.assertRaises(exception.PolicyNotAuthorized, policy.enforce, + project_context, 'foo', {}) + + def test_enforce_does_not_raise_forbidden(self): + self.fixture.config(enforce_scope=False, group='oslo_policy') + project_context = context.RequestContext(project_id='fake-project-id', + roles=['bar']) + policy.reset() + policy.init() + rule = oslo_policy.RuleDefault('foo', 'role:bar', + scope_types=['system']) + policy._ENFORCER.register_defaults([rule]) + + self.assertTrue(policy.enforce(project_context, 'foo', {})) diff --git a/lower-constraints.txt b/lower-constraints.txt index 53283e51fb4..2647b393e6b 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -64,7 +64,7 @@ oslo.i18n==5.0.1 oslo.log==4.4.0 oslo.messaging==12.5.0 oslo.middleware==4.1.1 -oslo.policy==3.6.0 +oslo.policy==3.6.2 oslo.privsep==2.4.0 oslo.reports==2.2.0 oslo.rootwrap==6.2.0 diff --git a/requirements.txt b/requirements.txt index 4d316748311..3a44e915719 100644 --- a/requirements.txt +++ b/requirements.txt @@ -21,7 +21,7 @@ oslo.db>=8.4.0 # Apache-2.0 oslo.log>=4.4.0 # Apache-2.0 oslo.messaging>=12.5.0 # Apache-2.0 oslo.middleware>=4.1.1 # Apache-2.0 -oslo.policy>=3.6.0 # Apache-2.0 +oslo.policy>=3.6.2 # Apache-2.0 oslo.privsep>=2.4.0 # Apache-2.0 oslo.reports>=2.2.0 # Apache-2.0 oslo.rootwrap>=6.2.0 # Apache-2.0