Implement policy in code - client (end)

This commit migrate all client policies into code [1] and
also remove policy.json usage file completely.

Like oslo.config, with oslo.policy, we can define all of
default rules in code base and only change some rules
via policy file. Another thing that we should use yaml
format instead of json format.

[1] https://governance.openstack.org/tc/goals/queens/policy-in-code.html
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>

Change-Id: I7c7fd83aa2516c053e38d7598cf79e63401f7519

devstack/lib/freezer-api

@@ -99,7 +99,6 @@ function configure_freezer_api {
 
     sudo cp $FREEZER_API_DIR/etc/freezer/freezer-api.conf.sample $FREEZER_API_CONF_DIR/freezer-api.conf
     sudo cp $FREEZER_API_DIR/etc/freezer/freezer-paste.ini $FREEZER_API_CONF_DIR/freezer-paste.ini
-    sudo cp $FREEZER_API_DIR/etc/freezer/policy.json $FREEZER_API_CONF_DIR/policy.json
 
     # enable debuging
     iniset $FREEZER_API_CONF 'DEFAULT' debug True

etc/freezer/policy.json

@@ -1,6 +0,0 @@
-{
-    "clients:get_all": "",
-    "clients:create": "",
-    "clients:get": "",
-    "clients:delete": ""
-}

freezer_api/common/policies/__init__.py

@@ -20,6 +20,7 @@ import itertools
 from freezer_api.common.policies import action
 from freezer_api.common.policies import backup
 from freezer_api.common.policies import base
+from freezer_api.common.policies import client
 from freezer_api.common.policies import job
 from freezer_api.common.policies import session
 
@@ -29,6 +30,7 @@ def list_rules():
         action.list_rules(),
         backup.list_rules(),
         base.list_rules(),
+        client.list_rules(),
         job.list_rules(),
         session.list_rules()
     )

freezer_api/common/policies/client.py

@@ -0,0 +1,69 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+from oslo_policy import policy
+
+from freezer_api.common.policies import base
+
+CLIENTS = 'clients:%s'
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name=CLIENTS % 'create',
+        check_str=base.UNPROTECTED,
+        description='Create client entry.',
+        operations=[
+            {
+                'path': '/v1/clients',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=CLIENTS % 'delete',
+        check_str=base.UNPROTECTED,
+        description='Delete specified client.',
+        operations=[
+            {
+                'path': '/v1/clients/{client_id}',
+                'method': 'DELETE'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=CLIENTS % 'get',
+        check_str=base.UNPROTECTED,
+        description='Show clients.',
+        operations=[
+            {
+                'path': '/v1/clients/{client_id}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=CLIENTS % 'get_all',
+        check_str=base.UNPROTECTED,
+        description='List clients.',
+        operations=[
+            {
+                'path': '/v1/clients',
+                'method': 'GET'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules

freezer_api/tests/unit/common.py

@@ -19,7 +19,6 @@ limitations under the License.
 import copy
 import io
 import os
-import shutil
 
 import fixtures
 from oslo_config import cfg
@@ -27,7 +26,6 @@ from oslo_config import fixture as cfg_fixture
 import testtools
 
 from freezer_api.common import config
-from freezer_api.common import exceptions
 from freezer_api import policy
 
 CONF = cfg.CONF
@@ -435,26 +433,8 @@ class FreezerBaseTestCase(testtools.TestCase):
         self.test_dir = self.useFixture(fixtures.TempDir()).path
         self.conf_dir = os.path.join(self.test_dir, 'etc')
         os.makedirs(self.conf_dir)
-        self.configure_policy()
-        policy.ENFORCER = FakePolicyEnforcer()
-
-    def configure_policy(self):
-        src_policy_file = 'etc/freezer/policy.json'
-        # copy policy file to test config dir
-        shutil.copy(src_policy_file, self.conf_dir)
-        policy_file = os.path.join(self.conf_dir, 'policy.json')
-        self._config_fixture.config(policy_file=policy_file,
-                                    group='oslo_policy')
-
-
-class FakePolicyEnforcer(object):
-    def __init__(self, *args, **kwargs):
-        self.rules = {}
-
-    def enforce(self, rule, action, ctxt, do_raise=True,
-                exc=exceptions.AccessForbidden):
-        if self.rules.get(rule) is False:
-            raise exceptions.AccessForbidden()
+        policy.ENFORCER = None
+        policy.setup_policy(CONF)
 
 
 class FakeContext(object):
@@ -468,6 +448,3 @@ class FakeContext(object):
 def get_req_items(name):
     req_info = {'freezer.context': FakeContext()}
     return req_info[name]
-
-
-policy.ENFORCER = FakePolicyEnforcer()

releasenotes/notes/policy-and-doc-in-code-60163967ec604cbb.yaml

@@ -0,0 +1,14 @@
+---
+features:
+  - |
+    Freezer now support policy in code, which means if users didn't modify
+    any of policy rules, they can remove or comment out all of rules in
+    policy file or even not deploy it at all. Because from now, Freezer
+    keeps all default policies under `freezer-api/common/policies` module.
+    Users can still modify/generate `policy.yaml` file which will override
+    policy rules in code if those rules show in `policy.yaml` file.
+other:
+  - |
+    Default `policy.json` file is now removed as Freezer now generate the
+    default policies in code. Please be aware that when using that file in your
+    environment.