diff --git a/oslo_policy/policy.py b/oslo_policy/policy.py index 875727fe..48bc40f1 100644 --- a/oslo_policy/policy.py +++ b/oslo_policy/policy.py @@ -1041,6 +1041,8 @@ class Enforcer(object): if isinstance(rule, _checks.BaseCheck): # If the thing we're given is a Check, we don't know the # name of the rule, so pass None for current_rule. + if rule.scope_types: + self._enforce_scope(creds, rule) result = _checks._check( rule=rule, target=target, diff --git a/oslo_policy/tests/test_policy.py b/oslo_policy/tests/test_policy.py index f24a02ea..5dcf868a 100644 --- a/oslo_policy/tests/test_policy.py +++ b/oslo_policy/tests/test_policy.py @@ -999,6 +999,22 @@ class EnforcerTest(base.PolicyBaseTestCase): target_dict, ctx ) + def test_enforce_scope_with_subclassed_checks_when_scope_not_set(self): + self.conf.set_override('enforce_scope', True, group='oslo_policy') + rule = _checks.TrueCheck() + rule.scope_types = None + ctx = context.RequestContext(system_scope='all', roles=['admin']) + self.enforcer.enforce(rule, {}, ctx) + + def test_enforcer_raises_invalid_scope_with_subclassed_checks(self): + self.conf.set_override('enforce_scope', True, group='oslo_policy') + rule = _checks.TrueCheck() + rule.scope_types = ['domain'] + ctx = context.RequestContext(system_scope='all', roles=['admin']) + self.assertRaises( + policy.InvalidScope, + self.enforcer.enforce, rule, {}, ctx) + class EnforcerNoPolicyFileTest(base.PolicyBaseTestCase): def setUp(self): diff --git a/releasenotes/notes/enforce-scope-checks-always-when-rule-has-scope_types-8f983cdf70766e4f.yaml b/releasenotes/notes/enforce-scope-checks-always-when-rule-has-scope_types-8f983cdf70766e4f.yaml new file mode 100644 index 00000000..d13c523b --- /dev/null +++ b/releasenotes/notes/enforce-scope-checks-always-when-rule-has-scope_types-8f983cdf70766e4f.yaml @@ -0,0 +1,6 @@ +--- +other: + - | + Scope check is enforced for all rules, registered ones as well as the ones + which are subclasses of the ``BaseCheck`` class if rule has ``scope_types`` + set.