Use to_policy_values from context for policy

The oslo.context to_policy_values provide the standard arguments that should be passed to oslo.policy for enforcement. By using these values heat will automatically gain support for new things like is_admin_project as they are supported by oslo_context. Because previously the whole to_dict was passed to policy enforcement we are actually removing a whole bunch of options that could be used in policy enforcement - however from a practical perspective i'm not sure anyone would have used them. Closes-Bug: #1602081 Change-Id: I244ed767e2077cf43d55104779484b64bd28c85f
2016-06-29 13:38:39 +10:00 · 2016-06-29 13:38:39 +10:00 · 528945425e
parent dd093f1891
commit 528945425e
3 changed files with 17 additions and 2 deletions
--- a/heat/common/context.py
+++ b/heat/common/context.py
@ -194,6 +194,20 @@ class RequestContext(context.RequestContext):
            project_domain_id=values.get('project_domain')
        )

+    def to_policy_values(self):
+        policy = super(RequestContext, self).to_policy_values()
+
+        # NOTE(jamielennox): These are deprecated values passed to oslo.policy
+        # for enforcement. They shouldn't be needed as the base class defines
+        # what should be used when writing policy but are maintained for
+        # compatibility.
+        policy['user'] = self.user_id
+        policy['tenant'] = self.tenant_id
+        policy['is_admin'] = self.is_admin
+        policy['auth_token_info'] = self.auth_token_info
+
+        return policy
+
    @property
    def keystone_v3_endpoint(self):
        if self.auth_url:
--- a/heat/common/policy.py
+++ b/heat/common/policy.py
@ -62,7 +62,7 @@ class Enforcer(object):
           :returns: A non-False value if access is allowed.
        """
        do_raise = False if not exc else True
-        credentials = context.to_dict()
+        credentials = context.to_policy_values()
        return self.enforcer.enforce(rule, target, credentials,
                                     do_raise, exc=exc, *args, **kwargs)

--- a/heat/tests/test_common_policy.py
+++ b/heat/tests/test_common_policy.py
@ -175,7 +175,8 @@ class TestPolicyEnforcer(common.HeatTestCase):
        enforcer = policy.Enforcer()
        ctx = utils.dummy_context(roles=['admin'])
        self.m.StubOutWithMock(base_policy.Enforcer, 'enforce')
-        base_policy.Enforcer.enforce('context_is_admin', {}, ctx.to_dict(),
+        base_policy.Enforcer.enforce('context_is_admin', {},
+                                     ctx.to_policy_values(),
                                     False, exc=None).AndReturn(True)
        self.m.ReplayAll()
        self.assertTrue(enforcer.check_is_admin(ctx))