Merge "Provided backward compat for enforcing admin policy"

ironic/api/hooks.py

@@ -76,7 +76,11 @@ class ContextHook(hooks.PecanHook):
             'roles': headers.get('X-Roles', '').split(','),
         }
 
-        is_admin = policy.enforce('admin_api', creds, creds)
+        # NOTE(adam_g): We also check the previous 'admin' rule to ensure
+        # compat with default juno policy.json.  This double check may be
+        # removed in L.
+        is_admin = (policy.enforce('admin_api', creds, creds) or
+                    policy.enforce('admin', creds, creds))
         is_public_api = state.request.environ.get('is_public_api', False)
 
         state.request.context = context.RequestContext(

ironic/tests/api/test_hooks.py

@@ -25,6 +25,7 @@ from ironic.api.controllers import root
 from ironic.api import hooks
 from ironic.common import context
 from ironic.tests.api import base
+from ironic.tests import policy_fixture
 
 
 class FakeRequest(object):
@@ -216,6 +217,13 @@ class TestContextHook(base.FunctionalTest):
             roles=headers['X-Roles'].split(','))
 
 
+class TestContextHookCompatJuno(TestContextHook):
+    def setUp(self):
+        super(TestContextHookCompatJuno, self).setUp()
+        self.policy = self.useFixture(
+            policy_fixture.PolicyFixture(compat='juno'))
+
+
 class TestTrustedCallHook(base.FunctionalTest):
     def test_trusted_call_hook_not_admin(self):
         headers = fake_headers(admin=False)
@@ -239,3 +247,13 @@ class TestTrustedCallHook(base.FunctionalTest):
         reqstate.set_context()
         trusted_call_hook = hooks.TrustedCallHook()
         trusted_call_hook.before(reqstate)
+
+
+class TestTrustedCallHookCompatJuno(TestTrustedCallHook):
+    def setUp(self):
+        super(TestTrustedCallHookCompatJuno, self).setUp()
+        self.policy = self.useFixture(
+            policy_fixture.PolicyFixture(compat='juno'))
+
+    def test_trusted_call_hook_public_api(self):
+        self.skipTest('no public_api trusted call policy in juno')

ironic/tests/fake_policy.py

@@ -21,3 +21,21 @@ policy_data = """
     "default": "rule:trusted_call"
 }
 """
+
+
+policy_data_compat_juno = """
+{
+    "admin": "role:admin or role:administrator",
+    "admin_api": "is_admin:True",
+    "default": "rule:admin_api"
+}
+"""
+
+
+def get_policy_data(compat):
+    if not compat:
+        return policy_data
+    elif compat == 'juno':
+        return policy_data_compat_juno
+    else:
+        raise Exception('Policy data for %s not available' % compat)

ironic/tests/policy_fixture.py

@@ -24,6 +24,8 @@ CONF = cfg.CONF
 
 
 class PolicyFixture(fixtures.Fixture):
+    def __init__(self, compat=None):
+        self.compat = compat
 
     def setUp(self):
         super(PolicyFixture, self).setUp()
@@ -31,7 +33,7 @@ class PolicyFixture(fixtures.Fixture):
         self.policy_file_name = os.path.join(self.policy_dir.path,
                                              'policy.json')
         with open(self.policy_file_name, 'w') as policy_file:
-            policy_file.write(fake_policy.policy_data)
+            policy_file.write(fake_policy.get_policy_data(self.compat))
         CONF.set_override('policy_file', self.policy_file_name)
         ironic_policy._ENFORCER = None
         self.addCleanup(ironic_policy.get_enforcer().clear)