Merge "Address minor comments from initial impl RBACEnforcer"

2018-07-13 09:03:31 +00:00 · 2018-07-13 09:03:31 +00:00 · bfa1fa79f5
parent 416c325144 6d1456061d
commit bfa1fa79f5
2 changed files with 24 additions and 8 deletions
--- a/keystone/common/rbac_enforcer/enforcer.py
+++ b/keystone/common/rbac_enforcer/enforcer.py
@ -280,14 +280,21 @@ class RBACEnforcer(object):
        # @policy_enforcer_action decorator was used.
        action = action or getattr(flask.g, cls.ACTION_STORE_ATTR, None)
        if action not in _POSSIBLE_TARGET_ACTIONS:
-            LOG.warning('RBAC: Unknown/No enforcement action name. Rejecting '
-                        'as unauthorized, this is a programming error and a '
-                        'bug should be filed with as much information about '
-                        'the request that caused this as possible.')
-            raise exception.Unauthorized(
+            LOG.warning('RBAC: Unknown enforcement action name `%s`. '
+                        'Rejecting as Forbidden, this is a programming error '
+                        'and a bug should be filed with as much information '
+                        'about the request that caused this as possible.',
+                        action)
+            # NOTE(morgan): While this is an internal error, a 500 is never
+            # desirable, we have handled the case and the most appropriate
+            # response here is to issue a 403 (FORBIDDEN) to any API calling
+            # enforce_call with an inappropriate action/name to look up the
+            # policy rule. This is simply a short-circuit as the enforcement
+            # code raises a 403 on an unknown action (in keystone) by default.
+            raise exception.Forbidden(
                message=_(
-                    'Internal RBAC enforcement error, no rule/action name to '
-                    'lookup'))
+                    'Internal RBAC enforcement error, invalid rule (action) '
+                    'name.'))

        # Mark flask.g as "enforce_call" has been called. This should occur
        # before anything except the "is this a valid action" check, ensuring
--- a/keystone/tests/unit/common/test_rbac_enforcer.py
+++ b/keystone/tests/unit/common/test_rbac_enforcer.py
@ -335,6 +335,14 @@ class TestRBACEnforcerRest(_TestRBACEnforcerBase):
                extracted_creds)

    def test_extract_member_target_data_inferred(self):
+        # NOTE(morgan): Setup the "resource" object with a 'member_name' attr
+        # and the 'get_member_from_driver' binding to the 'get' method. The
+        # enforcer here will look for 'get_member_from_driver' (callable) and
+        # the 'member_name' (e.g. 'user') so it can automatically populate
+        # the target dict with the member information. This is mostly compat
+        # with current @protected (ease of use). For most cases the target
+        # should be explicitly passed to .enforce_call, but for ease of
+        # converting / use, the automatic population of data has been added.
        self.restful_api_resource.member_name = 'argument'
        member_from_driver = self.restful_api_resource.get
        self.restful_api_resource.get_member_from_driver = member_from_driver
@ -399,7 +407,8 @@ class TestRBACEnforcerRest(_TestRBACEnforcerBase):
        self.assertRaises(ValueError, _decorator_fails)

    def test_enforce_call_invalid_action(self):
-        self.assertRaises(exception.Unauthorized, self.enforcer.enforce_call,
+        self.assertRaises(exception.Forbidden,
+                          self.enforcer.enforce_call,
                          action=uuid.uuid4().hex)

    def test_enforce_call_not_is_authenticated(self):