From c5bf8b230fea356a228485926bc889b138d5bcb1 Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Thu, 9 Jan 2020 01:10:11 +0000
Subject: [PATCH] Introduce scope_types in os-agents policy

oslo.policy introduced the scope_type feature which can
control the access level at system-level and project-level.
 - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope
 - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html

Appropriate scope_type for nova case:
- https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope

This commit introduce scope_type for os-agents API policies
as 'system'.

Also adds the test case with scope_type enabled and verify we
pass and fail the policy check with expected context.

Partial implement blueprint policy-defaults-refresh

Change-Id: If73cedb50185c830167db1c86ad15095c9f3d104
---
 nova/policies/agents.py                 | 11 ++++++-----
 nova/tests/unit/policies/test_agents.py | 14 ++++++++++++++
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/nova/policies/agents.py b/nova/policies/agents.py
index 00ba7fb2f6..cc6dc7441a 100644
--- a/nova/policies/agents.py
+++ b/nova/policies/agents.py
@@ -23,14 +23,14 @@ BASE_POLICY_NAME = 'os_compute_api:os-agents'
 
 agents_policies = [
     policy.DocumentedRuleDefault(
-        BASE_POLICY_NAME,
-        base.RULE_ADMIN_API,
-        """Create, list, update, and delete guest agent builds
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API,
+        description="""Create, list, update, and delete guest agent builds
 
 This is XenAPI driver specific.
 It is used to force the upgrade of the XenAPI guest agent on instance boot.
 """,
-        [
+        operations=[
             {
                 'path': '/os-agents',
                 'method': 'GET'
@@ -47,7 +47,8 @@ It is used to force the upgrade of the XenAPI guest agent on instance boot.
                 'path': '/os-agents/{agent_build_id}',
                 'method': 'DELETE'
             }
-        ]),
+        ],
+        scope_types=['system']),
 ]
 
 
diff --git a/nova/tests/unit/policies/test_agents.py b/nova/tests/unit/policies/test_agents.py
index cd78877152..0905f109a4 100644
--- a/nova/tests/unit/policies/test_agents.py
+++ b/nova/tests/unit/policies/test_agents.py
@@ -109,3 +109,17 @@ class AgentsScopeTypePolicyTest(AgentsPolicyTest):
     def setUp(self):
         super(AgentsScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system admin is able to perform the CRUD operation
+        # on agents.
+        self.admin_authorized_contexts = [
+            self.system_admin_context]
+        # Check that non-system or non-admin is not able to perform the CRUD
+        # operation on agents.
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.project_admin_context,
+            self.system_foo_context, self.project_member_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context
+        ]