Add string format rendering to RoleCheck.__call__()

RoleCheck.__call__() doesn't render string format with target dict. So, it couldn't handle rules like below: "identity:create_grant": "role: %{target.role.name}s" This patch adds string format rendering code to it. If target_dict has a key specified at %()s in the rule, __call__() will render its value and evaluate the rule. If not, the method will return False. Change-Id: I82d677301ca2c764230ed9b3e3e9d82056afcea2 Closes-Bug: #1527055
2015-12-14 15:05:49 +09:00 · 2015-12-14 15:05:49 +09:00 · efea2ada1c
commit efea2ada1c
parent 7fb2e91a77
2 changed files with 22 additions and 3 deletions
--- a/oslo_policy/_checks.py
+++ b/oslo_policy/_checks.py
@ -212,7 +212,13 @@ class RoleCheck(Check):
    """Check that there is a matching role in the ``creds`` dict."""

    def __call__(self, target, creds, enforcer):
-        return self.match.lower() in [x.lower() for x in creds['roles']]
+        try:
+            match = self.match % target
+        except KeyError:
+            # While doing RoleCheck if key not
+            # present in Target return false
+            return False
+        return match.lower() in [x.lower() for x in creds['roles']]


@register('http')
--- a/oslo_policy/tests/test_checks.py
+++ b/oslo_policy/tests/test_checks.py
@ -72,12 +72,25 @@ class RoleCheckTestCase(base.PolicyBaseTestCase):
    def test_accept(self):
        check = _checks.RoleCheck('role', 'sPaM')

-        self.assertTrue(check('target', dict(roles=['SpAm']), self.enforcer))
+        self.assertTrue(check({}, dict(roles=['SpAm']), self.enforcer))

    def test_reject(self):
        check = _checks.RoleCheck('role', 'spam')

-        self.assertFalse(check('target', dict(roles=[]), self.enforcer))
+        self.assertFalse(check({}, dict(roles=[]), self.enforcer))
+
+    def test_format_value(self):
+        check = _checks.RoleCheck('role', '%(target.role.name)s')
+
+        target_dict = {'target.role.name': 'a'}
+        cred_dict = dict(user='user', roles=['a', 'b', 'c'])
+        self.assertTrue(check(target_dict, cred_dict, self.enforcer))
+
+        target_dict = {'target.role.name': 'd'}
+        self.assertFalse(check(target_dict, cred_dict, self.enforcer))
+
+        target_dict = dict(target=dict(role=dict()))
+        self.assertFalse(check(target_dict, cred_dict, self.enforcer))


 class HttpCheckTestCase(base.PolicyBaseTestCase):