oslo.policy

Enforcer doesn't raise an InvalidScope exception when rules subclass BaseCheck

Bug #1923503 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
oslo.policy
Fix Released
Undecided
Slawek Kaplonski

Bug Description

You can configure oslo.policy to raise an InvalidScope exception if the registered rule's scope types do not match the appropriate scope in the credentials dictionary or context object.

This behavior is broken if the registered rule is actually a subclass of the BaseCheck object because BaseCheck instances are checked first before handling scope checks [0].

This was discovered while implementing policy protection tests in neutron [1].

We should consider applying scope enforcement regardless of the rule type. If the rule has scope_types set, we should evaluate them.

[0] https://opendev.org/openstack/oslo.policy/src/commit/d8534850d9238e85ae0ea55bf2ac8583681fdb2b/oslo_policy/policy.py#L996-L1062
[1] https://review.opendev.org/c/openstack/neutron/+/784205/3/neutron/tests/unit/conf/policies/test_floatingip.py

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to oslo.policy (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/oslo.policy/+/804980

Changed in oslo.policy:
status: New → In Progress
Slawek Kaplonski (slaweq)
Changed in oslo.policy:
assignee: nobody → Slawek Kaplonski (slaweq)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to oslo.policy (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/oslo.policy/+/812468

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/oslo.policy/+/812469

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to oslo.policy (master)

Reviewed: https://review.opendev.org/c/openstack/oslo.policy/+/812468
Committed: https://opendev.org/openstack/oslo.policy/commit/fb51982f80572c73fc8dcaf2818a0ad31663a11e
Submitter: "Zuul (22348)"
Branch: master

commit fb51982f80572c73fc8dcaf2818a0ad31663a11e
Author: Slawek Kaplonski <email address hidden>
Date: Tue Oct 5 11:09:31 2021 +0200

    Add scope_types attribute to the BaseCheck class

    Neutron, based on the defined policy rules is creating check
    objects "in flight" to e.g. include check some object's attributes,
    like e.g. network's provider parameters.
    That use case requires that BaseCheck class and classes which inherits
    from it needs to have scope_types defined thus Neutron can set it for
    the Check based on the defined policy rule.

    This patch adds scope_types attribute to the BaseCheck class to make it
    available for use cases like described above.

    Related-Bug: #1923503
    Change-Id: Ibf30d0ffa5e9b125742089705d3557c02a03bc43

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/c/openstack/oslo.policy/+/812469
Committed: https://opendev.org/openstack/oslo.policy/commit/0aa03fd856fa6ad1481797d6b456271bbbd0e9dc
Submitter: "Zuul (22348)"
Branch: master

commit 0aa03fd856fa6ad1481797d6b456271bbbd0e9dc
Author: Slawek Kaplonski <email address hidden>
Date: Tue Oct 5 11:13:39 2021 +0200

    Refactor scope enforcement in the Enforcer class

    This patch moves code responsible for scope types enforcement
    to the separate method which can be reused in different places,
    like e.g. to enforce scope for instances of the BaseCheck class.

    Related-Bug: #1923503
    Change-Id: I6fd671728582b2f60939764075a8e2a977e78b58

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to oslo.policy (master)

Reviewed: https://review.opendev.org/c/openstack/oslo.policy/+/804980
Committed: https://opendev.org/openstack/oslo.policy/commit/919c3280aa79762df8475f131a65d12b78ac436e
Submitter: "Zuul (22348)"
Branch: master

commit 919c3280aa79762df8475f131a65d12b78ac436e
Author: Slawek Kaplonski <email address hidden>
Date: Tue Oct 5 11:16:04 2021 +0200

    Enforce scope check always when rule has scope_types set

    Previously it was checked only for registered rules but not for
    rules which are subclasses of the BaseCheck class.
    Now it's checked for all rules which have scope_types set.

    It's required for e.g. Neutron as it is creating Check objects based
    on the defined policy rules to e.g. include in the check attributes
    like network's provider parameters, etc.

    Depends-On: https://review.opendev.org/c/openstack/neutron/+/815838
    Depends-On: https://review.opendev.org/c/openstack/neutron/+/818725

    Closes-Bug: #1923503
    Change-Id: I55258c1f999c84220518d1fbbf5e1e514361cebe

Changed in oslo.policy:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/oslo.policy 3.10.1

This issue was fixed in the openstack/oslo.policy 3.10.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.