diff --git a/openstack_auth/policy.py b/openstack_auth/policy.py index 74cc23a7df..9f7f8d867f 100644 --- a/openstack_auth/policy.py +++ b/openstack_auth/policy.py @@ -188,7 +188,8 @@ def _check_credentials(enforcer_scope, action, target, credentials): # enforce loads the rules if action not in enforcer_scope.rules: if not enforcer_scope.enforce('default', target, credentials): - is_valid = False + if 'default' in enforcer_scope.rules: + is_valid = False else: is_valid = False return is_valid diff --git a/openstack_auth/tests/conf/no_default_policy.json b/openstack_auth/tests/conf/no_default_policy.json new file mode 100644 index 0000000000..07cd8c1b1a --- /dev/null +++ b/openstack_auth/tests/conf/no_default_policy.json @@ -0,0 +1,3 @@ +{ + "no_default:action": "" +} diff --git a/openstack_auth/tests/conf/with_default_policy.json b/openstack_auth/tests/conf/with_default_policy.json new file mode 100644 index 0000000000..42e6bfc29b --- /dev/null +++ b/openstack_auth/tests/conf/with_default_policy.json @@ -0,0 +1,4 @@ +{ + "with_default:action": "", + "default": "role:admin" +} diff --git a/openstack_auth/tests/unit/test_policy.py b/openstack_auth/tests/unit/test_policy.py index 96e686586f..2bcaad2911 100644 --- a/openstack_auth/tests/unit/test_policy.py +++ b/openstack_auth/tests/unit/test_policy.py @@ -17,6 +17,7 @@ import mock from openstack_auth import policy from openstack_auth import user +from openstack_auth import utils class PolicyLoaderTestCase(test.TestCase): @@ -83,6 +84,66 @@ class PolicyTestCaseNonAdmin(PolicyTestCase): self.assertTrue(value) +class PolicyTestCheckCredentials(PolicyTestCase): + _roles = [{'id': '1', 'name': 'member'}] + + def setUp(self): + policy_files = { + 'no_default': 'no_default_policy.json', + 'with_default': 'with_default_policy.json', + } + + override = self.settings(POLICY_FILES=policy_files) + override.enable() + self.addCleanup(override.disable) + + mock_user = user.User(id=1, roles=self._roles, + user_domain_id='admin_domain_id') + patcher = mock.patch('openstack_auth.utils.get_user', + return_value=mock_user) + self.MockClass = patcher.start() + self.addCleanup(patcher.stop) + self.request = http.HttpRequest() + + def test_check_credentials(self): + policy.reset() + enforcer = policy._get_enforcer() + scope = enforcer['no_default'] + user = utils.get_user() + credentials = policy._user_to_credentials(user) + target = { + 'project_id': user.project_id, + 'tenant_id': user.project_id, + 'user_id': user.id, + 'domain_id': user.user_domain_id, + 'user.domain_id': user.user_domain_id, + 'group.domain_id': user.user_domain_id, + 'project.domain_id': user.user_domain_id, + } + is_valid = policy._check_credentials(scope, 'action', target, + credentials) + self.assertTrue(is_valid) + + def test_check_credentials_default(self): + policy.reset() + enforcer = policy._get_enforcer() + scope = enforcer['with_default'] + user = utils.get_user() + credentials = policy._user_to_credentials(user) + target = { + 'project_id': user.project_id, + 'tenant_id': user.project_id, + 'user_id': user.id, + 'domain_id': user.user_domain_id, + 'user.domain_id': user.user_domain_id, + 'group.domain_id': user.user_domain_id, + 'project.domain_id': user.user_domain_id, + } + is_valid = policy._check_credentials(scope, 'action', target, + credentials) + self.assertFalse(is_valid) + + class PolicyTestCaseAdmin(PolicyTestCase): _roles = [{'id': '1', 'name': 'admin'}]