Allow an action if no policy exists for it and there is no default policy.

This is a special cherry-pick from horizon master branch
as openstack_auth was merged into horizon in Queens.

Closes-bug: 1739108
(cherry picked from commit 54365d7ef1007b3c8373ecb4e591c7f899dbeb98)

Change-Id: I94b54b84e22f9c9f0f38adff087c465b558e5e2a
This commit is contained in:
Vladislav Kuzmin 2018-05-15 14:10:01 +04:00
parent b25c1150e5
commit ddcfe7a6d4
4 changed files with 69 additions and 1 deletions

View File

@ -181,7 +181,8 @@ def _check_credentials(enforcer_scope, action, target, credentials):
# enforce loads the rules
if action not in enforcer_scope.rules:
if not enforcer_scope.enforce('default', target, credentials):
is_valid = False
if 'default' in enforcer_scope.rules:
is_valid = False
else:
is_valid = False
return is_valid

View File

@ -0,0 +1,3 @@
{
"no_default:action": ""
}

View File

@ -0,0 +1,4 @@
{
"with_default:action": "",
"default": "role:admin"
}

View File

@ -1343,6 +1343,66 @@ class PolicyTestCaseNonAdmin(PolicyTestCase):
self.assertTrue(value)
class PolicyTestCheckCredentials(PolicyTestCase):
_roles = [{'id': '1', 'name': 'member'}]
def setUp(self):
policy_files = {
'no_default': 'no_default_policy.json',
'with_default': 'with_default_policy.json',
}
override = self.settings(POLICY_FILES=policy_files)
override.enable()
self.addCleanup(override.disable)
mock_user = user.User(id=1, roles=self._roles,
user_domain_id='admin_domain_id')
patcher = mock.patch('openstack_auth.utils.get_user',
return_value=mock_user)
self.MockClass = patcher.start()
self.addCleanup(patcher.stop)
self.request = http.HttpRequest()
def test_check_credentials(self):
policy.reset()
enforcer = policy._get_enforcer()
scope = enforcer['no_default']
user = utils.get_user()
credentials = policy._user_to_credentials(user)
target = {
'project_id': user.project_id,
'tenant_id': user.project_id,
'user_id': user.id,
'domain_id': user.user_domain_id,
'user.domain_id': user.user_domain_id,
'group.domain_id': user.user_domain_id,
'project.domain_id': user.user_domain_id,
}
is_valid = policy._check_credentials(scope, 'action', target,
credentials)
self.assertTrue(is_valid)
def test_check_credentials_default(self):
policy.reset()
enforcer = policy._get_enforcer()
scope = enforcer['with_default']
user = utils.get_user()
credentials = policy._user_to_credentials(user)
target = {
'project_id': user.project_id,
'tenant_id': user.project_id,
'user_id': user.id,
'domain_id': user.user_domain_id,
'user.domain_id': user.user_domain_id,
'group.domain_id': user.user_domain_id,
'project.domain_id': user.user_domain_id,
}
is_valid = policy._check_credentials(scope, 'action', target,
credentials)
self.assertFalse(is_valid)
class PolicyTestCaseAdmin(PolicyTestCase):
_roles = [{'id': '1', 'name': 'admin'}]