Enforcer doesn't raise an InvalidScope exception when rules subclass BaseCheck
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
oslo.policy |
Fix Released
|
Undecided
|
Slawek Kaplonski |
Bug Description
You can configure oslo.policy to raise an InvalidScope exception if the registered rule's scope types do not match the appropriate scope in the credentials dictionary or context object.
This behavior is broken if the registered rule is actually a subclass of the BaseCheck object because BaseCheck instances are checked first before handling scope checks [0].
This was discovered while implementing policy protection tests in neutron [1].
We should consider applying scope enforcement regardless of the rule type. If the rule has scope_types set, we should evaluate them.
[0] https:/
[1] https:/
Changed in oslo.policy: | |
assignee: | nobody → Slawek Kaplonski (slaweq) |
Fix proposed to branch: master /review. opendev. org/c/openstack /oslo.policy/ +/804980
Review: https:/