From 43e9df85ab286ddee96e9cff97f551781baf70d1 Mon Sep 17 00:00:00 2001
From: David Lyle <david.lyle@intel.com>
Date: Fri, 18 Nov 2016 15:02:20 -0700
Subject: [PATCH] Rework hardcoded policy in admin dash

Since the content in a Dashboard is not hardcoded, having hardcoded
policy checks to specific services at the dashboard level is wrong.
The Dashboard was designed to evaluate all panels to determine policy
so this type of thing could be avoided. This patch moves the content
specific policy checks to the panels where they apply.

Additionally, this fix uncovered another bug where policy_rules are
wrapped in a list regardless of format. This patch adds a check and
only wraps where necessary.

Change-Id: I79314a45c3c552ebcb3bb7cc881c2467fa009c5d
Closes-Bug: #1643013
Closes-Bug: #1643074
---
 horizon/base.py                                             | 5 ++++-
 openstack_dashboard/dashboards/admin/aggregates/panel.py    | 1 +
 openstack_dashboard/dashboards/admin/defaults/panel.py      | 2 ++
 openstack_dashboard/dashboards/admin/flavors/panel.py       | 1 +
 openstack_dashboard/dashboards/admin/floating_ips/panel.py  | 1 +
 openstack_dashboard/dashboards/admin/images/panel.py        | 3 ++-
 openstack_dashboard/dashboards/admin/info/panel.py          | 4 ++++
 openstack_dashboard/dashboards/admin/instances/panel.py     | 3 ++-
 openstack_dashboard/dashboards/admin/metadata_defs/panel.py | 3 ++-
 openstack_dashboard/dashboards/admin/networks/panel.py      | 1 +
 openstack_dashboard/dashboards/admin/ngflavors/panel.py     | 1 +
 openstack_dashboard/dashboards/admin/overview/panel.py      | 3 ++-
 openstack_dashboard/dashboards/admin/routers/panel.py       | 1 +
 openstack_dashboard/dashboards/admin/volumes/panel.py       | 1 +
 14 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/horizon/base.py b/horizon/base.py
index ab4f5e1ba4..5db6327309 100644
--- a/horizon/base.py
+++ b/horizon/base.py
@@ -150,7 +150,10 @@ class HorizonComponent(object):
         # default in the policy engine, so calling each rule individually
         if policy_check and self.policy_rules:
             for rule in self.policy_rules:
-                if policy_check((rule,), request):
+                rule_param = rule
+                if not any(isinstance(r, (list, tuple)) for r in rule):
+                    rule_param = list(rule)
+                if policy_check(rule_param, request):
                     return True
             return False
 
diff --git a/openstack_dashboard/dashboards/admin/aggregates/panel.py b/openstack_dashboard/dashboards/admin/aggregates/panel.py
index 8fc5023d7a..96796d2379 100644
--- a/openstack_dashboard/dashboards/admin/aggregates/panel.py
+++ b/openstack_dashboard/dashboards/admin/aggregates/panel.py
@@ -24,6 +24,7 @@ LOG = logging.getLogger(__name__)
 class Aggregates(horizon.Panel):
     name = _("Host Aggregates")
     slug = 'aggregates'
+    policy_rules = (("compute", "compute_extension:aggregates"),)
     permissions = ('openstack.services.compute',)
 
     def allowed(self, context):
diff --git a/openstack_dashboard/dashboards/admin/defaults/panel.py b/openstack_dashboard/dashboards/admin/defaults/panel.py
index 7a222a2139..4a9e36d359 100644
--- a/openstack_dashboard/dashboards/admin/defaults/panel.py
+++ b/openstack_dashboard/dashboards/admin/defaults/panel.py
@@ -20,3 +20,5 @@ import horizon
 class Defaults(horizon.Panel):
     name = _("Defaults")
     slug = 'defaults'
+    policy_rules = (("compute", "context_is_admin"),
+                    ("volume", "context_is_admin"),)
diff --git a/openstack_dashboard/dashboards/admin/flavors/panel.py b/openstack_dashboard/dashboards/admin/flavors/panel.py
index d8ba030324..af86bc07e9 100644
--- a/openstack_dashboard/dashboards/admin/flavors/panel.py
+++ b/openstack_dashboard/dashboards/admin/flavors/panel.py
@@ -25,3 +25,4 @@ class Flavors(horizon.Panel):
     name = _("Flavors")
     slug = 'flavors'
     permissions = ('openstack.services.compute',)
+    policy_rules = (("compute", "context_is_admin"),)
diff --git a/openstack_dashboard/dashboards/admin/floating_ips/panel.py b/openstack_dashboard/dashboards/admin/floating_ips/panel.py
index 2503c795cd..589457ca07 100644
--- a/openstack_dashboard/dashboards/admin/floating_ips/panel.py
+++ b/openstack_dashboard/dashboards/admin/floating_ips/panel.py
@@ -23,6 +23,7 @@ class AdminFloatingIps(horizon.Panel):
     name = _("Floating IPs")
     slug = 'floating_ips'
     permissions = ('openstack.services.network', )
+    policy_rules = (("network", "context_is_admin"),)
 
     @staticmethod
     def can_register():
diff --git a/openstack_dashboard/dashboards/admin/images/panel.py b/openstack_dashboard/dashboards/admin/images/panel.py
index 981adc06c9..f6dc1252cb 100644
--- a/openstack_dashboard/dashboards/admin/images/panel.py
+++ b/openstack_dashboard/dashboards/admin/images/panel.py
@@ -25,4 +25,5 @@ class Images(horizon.Panel):
     name = _("Images")
     slug = 'images'
     permissions = ('openstack.services.image',)
-    policy_rules = (("image", "get_images"),)
+    policy_rules = ((("image", "context_is_admin"),
+                     ("image", "get_images")),)
diff --git a/openstack_dashboard/dashboards/admin/info/panel.py b/openstack_dashboard/dashboards/admin/info/panel.py
index 9c5fe7a05c..b1945b3d08 100644
--- a/openstack_dashboard/dashboards/admin/info/panel.py
+++ b/openstack_dashboard/dashboards/admin/info/panel.py
@@ -24,3 +24,7 @@ import horizon
 class Info(horizon.Panel):
     name = _("System Information")
     slug = 'info'
+    policy_rules = (("compute", "context_is_admin"),
+                    ("volume", "context_is_admin"),
+                    ("network", "context_is_admin"),
+                    ("orchestation", "context_is_admin"),)
diff --git a/openstack_dashboard/dashboards/admin/instances/panel.py b/openstack_dashboard/dashboards/admin/instances/panel.py
index efaad956d5..4125734c41 100644
--- a/openstack_dashboard/dashboards/admin/instances/panel.py
+++ b/openstack_dashboard/dashboards/admin/instances/panel.py
@@ -25,4 +25,5 @@ class Instances(horizon.Panel):
     name = _("Instances")
     slug = 'instances'
     permissions = ('openstack.services.compute',)
-    policy_rules = (("compute", "compute:get_all"),)
+    policy_rules = ((("compute", "context_is_admin"),
+                     ("compute", "compute:get_all")),)
diff --git a/openstack_dashboard/dashboards/admin/metadata_defs/panel.py b/openstack_dashboard/dashboards/admin/metadata_defs/panel.py
index 2feabdcc2d..097324ca17 100644
--- a/openstack_dashboard/dashboards/admin/metadata_defs/panel.py
+++ b/openstack_dashboard/dashboards/admin/metadata_defs/panel.py
@@ -23,7 +23,8 @@ from openstack_dashboard.api import glance
 class MetadataDefinitions(horizon.Panel):
     name = _("Metadata Definitions")
     slug = 'metadata_defs'
-    policy_rules = (("image", "get_metadef_namespaces"),)
+    policy_rules = ((("image", "context_is_admin"),
+                     ("image", "get_metadef_namespaces")),)
     permissions = ('openstack.services.image',)
 
     @staticmethod
diff --git a/openstack_dashboard/dashboards/admin/networks/panel.py b/openstack_dashboard/dashboards/admin/networks/panel.py
index 43976ec1d3..f49c5d6f4e 100644
--- a/openstack_dashboard/dashboards/admin/networks/panel.py
+++ b/openstack_dashboard/dashboards/admin/networks/panel.py
@@ -21,3 +21,4 @@ class Networks(horizon.Panel):
     name = _("Networks")
     slug = 'networks'
     permissions = ('openstack.services.network',)
+    policy_rules = (("network", "context_is_admin"),)
diff --git a/openstack_dashboard/dashboards/admin/ngflavors/panel.py b/openstack_dashboard/dashboards/admin/ngflavors/panel.py
index f485bee2b4..9841763378 100644
--- a/openstack_dashboard/dashboards/admin/ngflavors/panel.py
+++ b/openstack_dashboard/dashboards/admin/ngflavors/panel.py
@@ -22,3 +22,4 @@ class NGFlavors(horizon.Panel):
     name = _("Flavors")
     slug = 'ngflavors'
     permissions = ('openstack.services.compute',)
+    policy_rules = (("compute", "context_is_admin"),)
diff --git a/openstack_dashboard/dashboards/admin/overview/panel.py b/openstack_dashboard/dashboards/admin/overview/panel.py
index 6209d3b990..a1cd5f22d0 100644
--- a/openstack_dashboard/dashboards/admin/overview/panel.py
+++ b/openstack_dashboard/dashboards/admin/overview/panel.py
@@ -26,7 +26,8 @@ from openstack_dashboard.dashboards.admin import dashboard
 class Overview(horizon.Panel):
     name = _("Overview")
     slug = 'overview'
-    policy_rules = (('identity', 'identity:list_projects'),)
+    policy_rules = ((('identity', 'identity:list_projects'),
+                     ('compute', 'context_is_admin')),)
     permissions = ('openstack.services.compute',)
 
 
diff --git a/openstack_dashboard/dashboards/admin/routers/panel.py b/openstack_dashboard/dashboards/admin/routers/panel.py
index fa7b159c42..a525d2ab4f 100644
--- a/openstack_dashboard/dashboards/admin/routers/panel.py
+++ b/openstack_dashboard/dashboards/admin/routers/panel.py
@@ -22,6 +22,7 @@ class Routers(horizon.Panel):
     name = _("Routers")
     slug = 'routers'
     permissions = ('openstack.services.network',)
+    policy_rules = (("network", "context_is_admin"),)
 
     @staticmethod
     def can_register():
diff --git a/openstack_dashboard/dashboards/admin/volumes/panel.py b/openstack_dashboard/dashboards/admin/volumes/panel.py
index d4b1086b22..6abf038ba3 100644
--- a/openstack_dashboard/dashboards/admin/volumes/panel.py
+++ b/openstack_dashboard/dashboards/admin/volumes/panel.py
@@ -21,3 +21,4 @@ class Volumes(horizon.Panel):
     permissions = (
         ('openstack.services.volume', 'openstack.services.volumev2'),
     )
+    policy_rules = (("volume", "context_is_admin"),)