Merge "Address minor comments from initial impl RBACEnforcer"
This commit is contained in:
commit
bfa1fa79f5
|
@ -280,14 +280,21 @@ class RBACEnforcer(object):
|
|||
# @policy_enforcer_action decorator was used.
|
||||
action = action or getattr(flask.g, cls.ACTION_STORE_ATTR, None)
|
||||
if action not in _POSSIBLE_TARGET_ACTIONS:
|
||||
LOG.warning('RBAC: Unknown/No enforcement action name. Rejecting '
|
||||
'as unauthorized, this is a programming error and a '
|
||||
'bug should be filed with as much information about '
|
||||
'the request that caused this as possible.')
|
||||
raise exception.Unauthorized(
|
||||
LOG.warning('RBAC: Unknown enforcement action name `%s`. '
|
||||
'Rejecting as Forbidden, this is a programming error '
|
||||
'and a bug should be filed with as much information '
|
||||
'about the request that caused this as possible.',
|
||||
action)
|
||||
# NOTE(morgan): While this is an internal error, a 500 is never
|
||||
# desirable, we have handled the case and the most appropriate
|
||||
# response here is to issue a 403 (FORBIDDEN) to any API calling
|
||||
# enforce_call with an inappropriate action/name to look up the
|
||||
# policy rule. This is simply a short-circuit as the enforcement
|
||||
# code raises a 403 on an unknown action (in keystone) by default.
|
||||
raise exception.Forbidden(
|
||||
message=_(
|
||||
'Internal RBAC enforcement error, no rule/action name to '
|
||||
'lookup'))
|
||||
'Internal RBAC enforcement error, invalid rule (action) '
|
||||
'name.'))
|
||||
|
||||
# Mark flask.g as "enforce_call" has been called. This should occur
|
||||
# before anything except the "is this a valid action" check, ensuring
|
||||
|
|
|
@ -335,6 +335,14 @@ class TestRBACEnforcerRest(_TestRBACEnforcerBase):
|
|||
extracted_creds)
|
||||
|
||||
def test_extract_member_target_data_inferred(self):
|
||||
# NOTE(morgan): Setup the "resource" object with a 'member_name' attr
|
||||
# and the 'get_member_from_driver' binding to the 'get' method. The
|
||||
# enforcer here will look for 'get_member_from_driver' (callable) and
|
||||
# the 'member_name' (e.g. 'user') so it can automatically populate
|
||||
# the target dict with the member information. This is mostly compat
|
||||
# with current @protected (ease of use). For most cases the target
|
||||
# should be explicitly passed to .enforce_call, but for ease of
|
||||
# converting / use, the automatic population of data has been added.
|
||||
self.restful_api_resource.member_name = 'argument'
|
||||
member_from_driver = self.restful_api_resource.get
|
||||
self.restful_api_resource.get_member_from_driver = member_from_driver
|
||||
|
@ -399,7 +407,8 @@ class TestRBACEnforcerRest(_TestRBACEnforcerBase):
|
|||
self.assertRaises(ValueError, _decorator_fails)
|
||||
|
||||
def test_enforce_call_invalid_action(self):
|
||||
self.assertRaises(exception.Unauthorized, self.enforcer.enforce_call,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.enforcer.enforce_call,
|
||||
action=uuid.uuid4().hex)
|
||||
|
||||
def test_enforce_call_not_is_authenticated(self):
|
||||
|
|
Loading…
Reference in New Issue