Add configuration option for enforcing scope

A previous patch made it so that oslo.policy's ``enforce()`` method
compares the context of the request to the ``scope_types`` of the
policy being evaluated:

  I7fa171d859d82939511f8279e4e9464f792ed2cd

After consuming the change across various projects, it became
apparent that we would be duplicating configuration options in each
project in order for operators to opt into this functionality.

This commit adds a new configuration option that is meant to replace
the kwarg that was introduced in a previous patch. This will make things
more consistent for operators as they fix RBAC across their
deployment. It will also make it easier for other OpenStack services
to consumes the new scope_types enforcement.

bp add-scope-to-policy

Change-Id: Ia573b8cac3bf9cee2962790589dea24c7f530ef5

oslo_policy/opts.py

@@ -25,6 +25,16 @@ from oslo_policy._i18n import _
 _option_group = 'oslo_policy'
 
 _options = [
+    cfg.BoolOpt('enforce_scope',
+                default=False,
+                help=_('This option controls whether or not to enforce scope '
+                       'when evaluating policies. If ``True``, the scope of '
+                       'the token used in the request is compared to the '
+                       '``scope_types`` of the policy being enforced. If the '
+                       'scopes do not match, an ``InvalidScope`` exception '
+                       'will be raised. If ``False``, a message will be '
+                       'logged informing operators that policies are being '
+                       'invoked with mismatching scope.')),
     cfg.StrOpt('policy_file',
                default='policy.json',
                help=_('The file that defines policies.'),

oslo_policy/policy.py

@@ -777,7 +777,7 @@ class Enforcer(object):
         raise cfg.ConfigFilesNotFoundError((path,))
 
     def enforce(self, rule, target, creds, do_raise=False, exc=None,
-                enforce_scope=True, *args, **kwargs):
+                *args, **kwargs):
         """Checks authorization of a rule against the target and credentials.
 
         :param rule: The rule to evaluate.
@@ -797,12 +797,6 @@ class Enforcer(object):
                     positional and keyword arguments) will be passed to
                     the exception class. If not specified,
                     :class:`PolicyNotAuthorized` will be used.
-        :param enforce_scope: A boolean value denoting if an exception should
-                              be raised in the event the operation requires a
-                              different scope from the one in the request (e.g.
-                              using a project-scope token to do something
-                              system-wide). If False, a warning will be logged
-                              with details of the scope failure.
 
         :return: ``False`` if the policy does not allow the action and `exc` is
                  not provided; otherwise, returns a value that evaluates to
@@ -850,7 +844,7 @@ class Enforcer(object):
                 registered_rule = self.registered_rules.get(rule)
                 if registered_rule and registered_rule.scope_types:
                     if token_scope not in registered_rule.scope_types:
-                        if enforce_scope:
+                        if self.conf.oslo_policy.enforce_scope:
                             raise InvalidScope(
                                 rule, registered_rule.scope_types, token_scope
                             )

oslo_policy/tests/test_policy.py

@@ -742,7 +742,7 @@ class CheckFunctionTestCase(base.PolicyBaseTestCase):
         creds = {}
         exc = self.assertRaises(
             MyException, self.enforcer.enforce, 'rule', 'target', creds,
-            True, MyException, False, 'arg1', 'arg2', kw1='kwarg1',
+            True, MyException, 'arg1', 'arg2', kw1='kwarg1',
             kw2='kwarg2')
         self.assertEqual(('arg1', 'arg2'), exc.args)
         self.assertEqual(dict(kw1='kwarg1', kw2='kwarg2'), exc.kwargs)