Add check_is_admin to common.policy.Enforcer

Currently we have no concept of admin-ness inside Heat, so it's
not possible for deployers to specify a hierarchy within a project
such that some users have more privileged access than others.

The first step is to provide a means to specify in the policy a
rule which describes who is admin, then we can correctly set
is_admin in the context based on that rule.

blueprint: request-scoping-policy

Change-Id: Idd1fb5f4e52bda87c70830d66e0c931bfe879347

heat/common/policy.py

@@ -95,5 +95,13 @@ class Enforcer(object):
         """
         return self._check(context, action, target)
 
+    def check_is_admin(self, context):
+        """Whether or not roles contains 'admin' role according to policy.json
+
+           :param context: Heat request context
+           :returns: A non-False value if the user is admin according to policy
+        """
+        return self._check(context, 'context_is_admin', target={}, exc=None)
+
     def clear(self):
         self.enforcer.clear()

heat/tests/policy/check_admin.json

@@ -0,0 +1,3 @@
+{
+    "context_is_admin":  "role:admin"
+}

heat/tests/test_common_policy.py

@@ -173,3 +173,17 @@ class TestPolicyEnforcer(HeatTestCase):
                                    exc=None, default_rule=default_rule)
         action = 'no_such_action'
         self.assertFalse(enforcer.enforce(ctx, action))
+
+    def test_check_admin(self):
+        self.stub_policyfile('check_admin.json')
+
+        enforcer = policy.Enforcer()
+
+        ctx = utils.dummy_context(roles=[])
+        self.assertFalse(enforcer.check_is_admin(ctx))
+
+        ctx = utils.dummy_context(roles=['not_admin'])
+        self.assertFalse(enforcer.check_is_admin(ctx))
+
+        ctx = utils.dummy_context(roles=['admin'])
+        self.assertTrue(enforcer.check_is_admin(ctx))