From 84f27adcb887a7b0b3e6c10c54b9568bf812245a Mon Sep 17 00:00:00 2001
From: Dai Dang Van <daidv@vn.fujitsu.com>
Date: Thu, 19 Oct 2017 11:26:03 +0700
Subject: [PATCH] Implement policy in code (2)

This commit will move all default policies to code for:
- telemetry:get_alarm
- telemetry:get_alarms
- telemetry:query_alarm
- telemetry:create_alarm
- telemetry:change_alarm
- telemetry:delete_alarm

Change-Id: Iae86738119882c49b9488f78f206ecd2f6fa26d7
Co-authored-By: Hieu LE <hieulq@vn.fujitsu.com>
---
 aodh/api/policies.py                    | 68 ++++++++++++++++++++++++-
 aodh/api/policy.json                    |  8 ---
 aodh/tests/functional/gabbi/fixtures.py |  6 +--
 aodh/tests/open-policy.json             |  5 --
 4 files changed, 69 insertions(+), 18 deletions(-)
 delete mode 100644 aodh/tests/open-policy.json

diff --git a/aodh/api/policies.py b/aodh/api/policies.py
index e3784459b..28a1b7530 100644
--- a/aodh/api/policies.py
+++ b/aodh/api/policies.py
@@ -15,9 +15,9 @@
 
 from oslo_policy import policy
 
-
 RULE_CONTEXT_IS_ADMIN = 'rule:context_is_admin'
 RULE_ADMIN_OR_OWNER = 'rule:context_is_admin or project_id:%(project_id)s'
+UNPROTECTED = ''
 
 rules = [
     policy.RuleDefault(
@@ -34,6 +34,72 @@ rules = [
     policy.RuleDefault(
         name="default",
         check_str=RULE_ADMIN_OR_OWNER
+    ),
+    policy.DocumentedRuleDefault(
+        name="telemetry:get_alarm",
+        check_str=RULE_ADMIN_OR_OWNER,
+        description='Get an alarm.',
+        operations=[
+            {
+                'path': '/v2/alarms/{alarm_id}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="telemetry:get_alarms",
+        check_str=RULE_ADMIN_OR_OWNER,
+        description='Get all alarms, based on the query provided.',
+        operations=[
+            {
+                'path': '/v2/alarms',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="telemetry:query_alarm",
+        check_str=RULE_ADMIN_OR_OWNER,
+        description='Get all alarms, based on the query provided.',
+        operations=[
+            {
+                'path': '/v2/query/alarms',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="telemetry:create_alarm",
+        check_str=UNPROTECTED,
+        description='Create a new alarm.',
+        operations=[
+            {
+                'path': '/v2/alarms',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="telemetry:change_alarm",
+        check_str=RULE_ADMIN_OR_OWNER,
+        description='Modify this alarm.',
+        operations=[
+            {
+                'path': '/v2/alarms/{alarm_id}',
+                'method': 'PUT'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="telemetry:delete_alarm",
+        check_str=RULE_ADMIN_OR_OWNER,
+        description='Delete this alarm.',
+        operations=[
+            {
+                'path': '/v2/alarms/{alarm_id}',
+                'method': 'DELETE'
+            }
+        ]
     )
 ]
 
diff --git a/aodh/api/policy.json b/aodh/api/policy.json
index 96fdb48aa..f125cc0d1 100644
--- a/aodh/api/policy.json
+++ b/aodh/api/policy.json
@@ -1,12 +1,4 @@
 {
-    "telemetry:get_alarm": "rule:admin_or_owner",
-    "telemetry:get_alarms": "rule:admin_or_owner",
-    "telemetry:query_alarm": "rule:admin_or_owner",
-
-    "telemetry:create_alarm": "",
-    "telemetry:change_alarm": "rule:admin_or_owner",
-    "telemetry:delete_alarm": "rule:admin_or_owner",
-
     "telemetry:get_alarm_state": "rule:admin_or_owner",
     "telemetry:change_alarm_state": "rule:admin_or_owner",
 
diff --git a/aodh/tests/functional/gabbi/fixtures.py b/aodh/tests/functional/gabbi/fixtures.py
index c9f01030c..bdbb72dfd 100644
--- a/aodh/tests/functional/gabbi/fixtures.py
+++ b/aodh/tests/functional/gabbi/fixtures.py
@@ -27,6 +27,7 @@ from six.moves.urllib import parse as urlparse
 import sqlalchemy_utils
 
 from aodh.api import app
+from aodh.api import rbac
 from aodh import service
 from aodh import storage
 
@@ -76,10 +77,7 @@ class ConfigFixture(fixture.GabbiFixture):
         self.conf = conf
         opts.set_defaults(self.conf)
 
-        conf.set_override('policy_file',
-                          os.path.abspath(
-                              'aodh/tests/open-policy.json'),
-                          group='oslo_policy')
+        rbac.enforce = mock.Mock()
         conf.set_override('auth_mode', None, group='api')
 
         parsed_url = urlparse.urlparse(db_url)
diff --git a/aodh/tests/open-policy.json b/aodh/tests/open-policy.json
deleted file mode 100644
index 8f0602afb..000000000
--- a/aodh/tests/open-policy.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-    "context_is_admin": "role:admin",
-    "segregation": "rule:context_is_admin",
-    "default": ""
-}