Update policies

Merge in update openstack-common policy code.

Updates Nova-specific policy glue code to eliminate deprecated
openstack-common policy interfaces.  Also cleans up policy code
to allow for returning fine-grained policy values.

As a side effect, fixes bug 1039132.

Change-Id: I2951a0de3751bd2ec868e7a661070fed624e4af2

4 files changed, 265 insertions, 223 deletions

diff --git a/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py b/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py
index e468085cc..2470c2a20 100644
--- a/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py
+++ b/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py
@@ -200,9 +200,11 @@ class SimpleTenantUsageTest(test.TestCase):
 
         rules = {
             "compute_extension:simple_tenant_usage:show":
-                [["role:admin"], ["project_id:%(project_id)s"]]
+                common_policy.parse_rule([
+                    ["role:admin"], ["project_id:%(project_id)s"]
+                    ])
         }
-        common_policy.set_brain(common_policy.HttpBrain(rules))
+        common_policy.set_rules(common_policy.Rules(rules))
 
         try:
             res = req.get_response(fakes.wsgi_app(
diff --git a/nova/tests/compute/test_compute.py b/nova/tests/compute/test_compute.py
index 6fc317775..1b60e3a68 100644
--- a/nova/tests/compute/test_compute.py
+++ b/nova/tests/compute/test_compute.py
@@ -5010,7 +5010,9 @@ class ComputePolicyTestCase(BaseTestCase):
         nova.policy.reset()
 
     def _set_rules(self, rules):
-        common_policy.set_brain(common_policy.HttpBrain(rules))
+        common_policy.set_rules(common_policy.Rules(
+                dict((k, common_policy.parse_rule(v))
+                     for k, v in rules.items())))
 
     def test_actions_are_prefixed(self):
         self.mox.StubOutWithMock(nova.policy, 'enforce')
diff --git a/nova/tests/policy.json b/nova/tests/policy.json
index b856da58a..31b9cefd1 100644
--- a/nova/tests/policy.json
+++ b/nova/tests/policy.json
@@ -1,198 +1,198 @@
 {
-    "admin_api": [["role:admin"]],
-
-    "context_is_admin": [["role:admin"], ["role:administrator"]],
-    "compute:create": [],
-    "compute:create:attach_network": [],
-    "compute:create:attach_volume": [],
-
-    "compute:get": [],
-    "compute:get_all": [],
-
-    "compute:update": [],
-
-    "compute:get_instance_metadata": [],
-    "compute:update_instance_metadata": [],
-    "compute:delete_instance_metadata": [],
-
-    "compute:get_instance_faults": [],
-    "compute:get_diagnostics": [],
-
-    "compute:get_lock": [],
-    "compute:lock": [],
-    "compute:unlock": [],
-
-    "compute:get_vnc_console": [],
-    "compute:get_console_output": [],
-
-    "compute:associate_floating_ip": [],
-    "compute:reset_network": [],
-    "compute:inject_network_info": [],
-    "compute:add_fixed_ip": [],
-    "compute:remove_fixed_ip": [],
-
-    "compute:attach_volume": [],
-    "compute:detach_volume": [],
-
-    "compute:inject_file": [],
-
-    "compute:set_admin_password": [],
-
-    "compute:rescue": [],
-    "compute:unrescue": [],
-
-    "compute:suspend": [],
-    "compute:resume": [],
-
-    "compute:pause": [],
-    "compute:unpause": [],
-
-    "compute:start": [],
-    "compute:stop": [],
-
-    "compute:resize": [],
-    "compute:confirm_resize": [],
-    "compute:revert_resize": [],
-
-    "compute:rebuild": [],
-
-    "compute:reboot": [],
-
-    "compute:snapshot": [],
-    "compute:backup": [],
-
-    "compute:security_groups:add_to_instance": [],
-    "compute:security_groups:remove_from_instance": [],
-
-    "compute:delete": [],
-    "compute:soft_delete": [],
-    "compute:force_delete": [],
-    "compute:restore": [],
-
-
-    "compute_extension:accounts": [],
-    "compute_extension:admin_actions:pause": [],
-    "compute_extension:admin_actions:unpause": [],
-    "compute_extension:admin_actions:suspend": [],
-    "compute_extension:admin_actions:resume": [],
-    "compute_extension:admin_actions:lock": [],
-    "compute_extension:admin_actions:unlock": [],
-    "compute_extension:admin_actions:resetNetwork": [],
-    "compute_extension:admin_actions:injectNetworkInfo": [],
-    "compute_extension:admin_actions:createBackup": [],
-    "compute_extension:admin_actions:migrateLive": [],
-    "compute_extension:admin_actions:resetState": [],
-    "compute_extension:admin_actions:migrate": [],
-    "compute_extension:aggregates": [],
-    "compute_extension:certificates": [],
-    "compute_extension:cloudpipe": [],
-    "compute_extension:config_drive": [],
-    "compute_extension:console_output": [],
-    "compute_extension:consoles": [],
-    "compute_extension:createserverext": [],
-    "compute_extension:deferred_delete": [],
-    "compute_extension:disk_config": [],
-    "compute_extension:extended_server_attributes": [],
-    "compute_extension:extended_status": [],
-    "compute_extension:flavor_access": [],
-    "compute_extension:flavor_disabled": [],
-    "compute_extension:flavor_rxtx": [],
-    "compute_extension:flavor_swap": [],
-    "compute_extension:flavorextradata": [],
-    "compute_extension:flavorextraspecs": [],
-    "compute_extension:flavormanage": [],
-    "compute_extension:floating_ip_dns": [],
-    "compute_extension:floating_ip_pools": [],
-    "compute_extension:floating_ips": [],
-    "compute_extension:hosts": [],
-    "compute_extension:hypervisors": [],
-    "compute_extension:instance_usage_audit_log": [],
-    "compute_extension:keypairs": [],
-    "compute_extension:multinic": [],
-    "compute_extension:networks": [],
-    "compute_extension:networks:view": [],
-    "compute_extension:quotas:show": [],
-    "compute_extension:quotas:update": [],
-    "compute_extension:quota_classes": [],
-    "compute_extension:rescue": [],
-    "compute_extension:security_groups": [],
-    "compute_extension:server_diagnostics": [],
-    "compute_extension:simple_tenant_usage:show": [],
-    "compute_extension:simple_tenant_usage:list": [],
-    "compute_extension:users": [],
-    "compute_extension:virtual_interfaces": [],
-    "compute_extension:virtual_storage_arrays": [],
-    "compute_extension:volumes": [],
-    "compute_extension:volumetypes": [],
-    "compute_extension:zones": [],
-
-
-    "volume:create": [],
-    "volume:get": [],
-    "volume:get_all": [],
-    "volume:get_volume_metadata": [],
-    "volume:delete": [],
-    "volume:update": [],
-    "volume:delete_volume_metadata": [],
-    "volume:update_volume_metadata": [],
-    "volume:attach": [],
-    "volume:detach": [],
-    "volume:reserve_volume": [],
-    "volume:unreserve_volume": [],
-    "volume:begin_detaching": [],
-    "volume:roll_detaching": [],
-    "volume:check_attach": [],
-    "volume:check_detach": [],
-    "volume:initialize_connection": [],
-    "volume:terminate_connection": [],
-    "volume:create_snapshot": [],
-    "volume:delete_snapshot": [],
-    "volume:get_snapshot": [],
-    "volume:get_all_snapshots": [],
-
-
-    "volume_extension:volume_admin_actions:reset_status": [["rule:admin_api"]],
-    "volume_extension:snapshot_admin_actions:reset_status": [["rule:admin_api"]],
-    "volume_extension:volume_admin_actions:force_delete": [["rule:admin_api"]],
-    "volume_extension:volume_actions:upload_image": [],
-    "volume_extension:types_manage": [],
-    "volume_extension:types_extra_specs": [],
-
-
-    "network:get_all_networks": [],
-    "network:get_network": [],
-    "network:delete_network": [],
-    "network:disassociate_network": [],
-    "network:get_vifs_by_instance": [],
-    "network:allocate_for_instance": [],
-    "network:deallocate_for_instance": [],
-    "network:validate_networks": [],
-    "network:get_instance_uuids_by_ip_filter": [],
-
-    "network:get_floating_ip": [],
-    "network:get_floating_ip_pools": [],
-    "network:get_floating_ip_by_address": [],
-    "network:get_floating_ips_by_project": [],
-    "network:get_floating_ips_by_fixed_address": [],
-    "network:allocate_floating_ip": [],
-    "network:deallocate_floating_ip": [],
-    "network:associate_floating_ip": [],
-    "network:disassociate_floating_ip": [],
-
-    "network:get_fixed_ip": [],
-    "network:get_fixed_ip_by_address": [],
-    "network:add_fixed_ip_to_instance": [],
-    "network:remove_fixed_ip_from_instance": [],
-    "network:add_network_to_project": [],
-    "network:get_instance_nw_info": [],
-
-    "network:get_dns_domains": [],
-    "network:add_dns_entry": [],
-    "network:modify_dns_entry": [],
-    "network:delete_dns_entry": [],
-    "network:get_dns_entries_by_address": [],
-    "network:get_dns_entries_by_name": [],
-    "network:create_private_dns_domain": [],
-    "network:create_public_dns_domain": [],
-    "network:delete_dns_domain": []
+    "admin_api": "role:admin",
+
+    "context_is_admin": "role:admin or role:administrator",
+    "compute:create": "",
+    "compute:create:attach_network": "",
+    "compute:create:attach_volume": "",
+
+    "compute:get": "",
+    "compute:get_all": "",
+
+    "compute:update": "",
+
+    "compute:get_instance_metadata": "",
+    "compute:update_instance_metadata": "",
+    "compute:delete_instance_metadata": "",
+
+    "compute:get_instance_faults": "",
+    "compute:get_diagnostics": "",
+
+    "compute:get_lock": "",
+    "compute:lock": "",
+    "compute:unlock": "",
+
+    "compute:get_vnc_console": "",
+    "compute:get_console_output": "",
+
+    "compute:associate_floating_ip": "",
+    "compute:reset_network": "",
+    "compute:inject_network_info": "",
+    "compute:add_fixed_ip": "",
+    "compute:remove_fixed_ip": "",
+
+    "compute:attach_volume": "",
+    "compute:detach_volume": "",
+
+    "compute:inject_file": "",
+
+    "compute:set_admin_password": "",
+
+    "compute:rescue": "",
+    "compute:unrescue": "",
+
+    "compute:suspend": "",
+    "compute:resume": "",
+
+    "compute:pause": "",
+    "compute:unpause": "",
+
+    "compute:start": "",
+    "compute:stop": "",
+
+    "compute:resize": "",
+    "compute:confirm_resize": "",
+    "compute:revert_resize": "",
+
+    "compute:rebuild": "",
+
+    "compute:reboot": "",
+
+    "compute:snapshot": "",
+    "compute:backup": "",
+
+    "compute:security_groups:add_to_instance": "",
+    "compute:security_groups:remove_from_instance": "",
+
+    "compute:delete": "",
+    "compute:soft_delete": "",
+    "compute:force_delete": "",
+    "compute:restore": "",
+
+
+    "compute_extension:accounts": "",
+    "compute_extension:admin_actions:pause": "",
+    "compute_extension:admin_actions:unpause": "",
+    "compute_extension:admin_actions:suspend": "",
+    "compute_extension:admin_actions:resume": "",
+    "compute_extension:admin_actions:lock": "",
+    "compute_extension:admin_actions:unlock": "",
+    "compute_extension:admin_actions:resetNetwork": "",
+    "compute_extension:admin_actions:injectNetworkInfo": "",
+    "compute_extension:admin_actions:createBackup": "",
+    "compute_extension:admin_actions:migrateLive": "",
+    "compute_extension:admin_actions:resetState": "",
+    "compute_extension:admin_actions:migrate": "",
+    "compute_extension:aggregates": "",
+    "compute_extension:certificates": "",
+    "compute_extension:cloudpipe": "",
+    "compute_extension:config_drive": "",
+    "compute_extension:console_output": "",
+    "compute_extension:consoles": "",
+    "compute_extension:createserverext": "",
+    "compute_extension:deferred_delete": "",
+    "compute_extension:disk_config": "",
+    "compute_extension:extended_server_attributes": "",
+    "compute_extension:extended_status": "",
+    "compute_extension:flavor_access": "",
+    "compute_extension:flavor_disabled": "",
+    "compute_extension:flavor_rxtx": "",
+    "compute_extension:flavor_swap": "",
+    "compute_extension:flavorextradata": "",
+    "compute_extension:flavorextraspecs": "",
+    "compute_extension:flavormanage": "",
+    "compute_extension:floating_ip_dns": "",
+    "compute_extension:floating_ip_pools": "",
+    "compute_extension:floating_ips": "",
+    "compute_extension:hosts": "",
+    "compute_extension:hypervisors": "",
+    "compute_extension:instance_usage_audit_log": "",
+    "compute_extension:keypairs": "",
+    "compute_extension:multinic": "",
+    "compute_extension:networks": "",
+    "compute_extension:networks:view": "",
+    "compute_extension:quotas:show": "",
+    "compute_extension:quotas:update": "",
+    "compute_extension:quota_classes": "",
+    "compute_extension:rescue": "",
+    "compute_extension:security_groups": "",
+    "compute_extension:server_diagnostics": "",
+    "compute_extension:simple_tenant_usage:show": "",
+    "compute_extension:simple_tenant_usage:list": "",
+    "compute_extension:users": "",
+    "compute_extension:virtual_interfaces": "",
+    "compute_extension:virtual_storage_arrays": "",
+    "compute_extension:volumes": "",
+    "compute_extension:volumetypes": "",
+    "compute_extension:zones": "",
+
+
+    "volume:create": "",
+    "volume:get": "",
+    "volume:get_all": "",
+    "volume:get_volume_metadata": "",
+    "volume:delete": "",
+    "volume:update": "",
+    "volume:delete_volume_metadata": "",
+    "volume:update_volume_metadata": "",
+    "volume:attach": "",
+    "volume:detach": "",
+    "volume:reserve_volume": "",
+    "volume:unreserve_volume": "",
+    "volume:begin_detaching": "",
+    "volume:roll_detaching": "",
+    "volume:check_attach": "",
+    "volume:check_detach": "",
+    "volume:initialize_connection": "",
+    "volume:terminate_connection": "",
+    "volume:create_snapshot": "",
+    "volume:delete_snapshot": "",
+    "volume:get_snapshot": "",
+    "volume:get_all_snapshots": "",
+
+
+    "volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
+    "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
+    "volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
+    "volume_extension:volume_actions:upload_image": "",
+    "volume_extension:types_manage": "",
+    "volume_extension:types_extra_specs": "",
+
+
+    "network:get_all_networks": "",
+    "network:get_network": "",
+    "network:delete_network": "",
+    "network:disassociate_network": "",
+    "network:get_vifs_by_instance": "",
+    "network:allocate_for_instance": "",
+    "network:deallocate_for_instance": "",
+    "network:validate_networks": "",
+    "network:get_instance_uuids_by_ip_filter": "",
+
+    "network:get_floating_ip": "",
+    "network:get_floating_ip_pools": "",
+    "network:get_floating_ip_by_address": "",
+    "network:get_floating_ips_by_project": "",
+    "network:get_floating_ips_by_fixed_address": "",
+    "network:allocate_floating_ip": "",
+    "network:deallocate_floating_ip": "",
+    "network:associate_floating_ip": "",
+    "network:disassociate_floating_ip": "",
+
+    "network:get_fixed_ip": "",
+    "network:get_fixed_ip_by_address": "",
+    "network:add_fixed_ip_to_instance": "",
+    "network:remove_fixed_ip_from_instance": "",
+    "network:add_network_to_project": "",
+    "network:get_instance_nw_info": "",
+
+    "network:get_dns_domains": "",
+    "network:add_dns_entry": "",
+    "network:modify_dns_entry": "",
+    "network:delete_dns_entry": "",
+    "network:get_dns_entries_by_address": "",
+    "network:get_dns_entries_by_name": "",
+    "network:create_private_dns_domain": "",
+    "network:create_public_dns_domain": "",
+    "network:delete_dns_domain": ""
 }
diff --git a/nova/tests/test_policy.py b/nova/tests/test_policy.py
index a85d3e25c..c0c487447 100644
--- a/nova/tests/test_policy.py
+++ b/nova/tests/test_policy.py
@@ -56,10 +56,10 @@ class PolicyFileTestCase(test.TestCase):
 
             action = "example:test"
             with open(tmpfilename, "w") as policyfile:
-                policyfile.write("""{"example:test": []}""")
+                policyfile.write("""{"example:test": ""}""")
             policy.enforce(self.context, action, self.target)
             with open(tmpfilename, "w") as policyfile:
-                policyfile.write("""{"example:test": ["false:false"]}""")
+                policyfile.write("""{"example:test": "!"}""")
             # NOTE(vish): reset stored policy cache so we don't have to
             # sleep(1)
             policy._POLICY_CACHE = {}
@@ -74,19 +74,21 @@ class PolicyTestCase(test.TestCase):
         # NOTE(vish): preload rules to circumvent reloading from file
         policy.init()
         rules = {
-            "true": [],
-            "example:allowed": [],
-            "example:denied": [["false:false"]],
-            "example:get_http": [["http:http://www.example.com"]],
-            "example:my_file": [["role:compute_admin"],
-                                ["project_id:%(project_id)s"]],
-            "example:early_and_fail": [["false:false", "rule:true"]],
-            "example:early_or_success": [["rule:true"], ["false:false"]],
-            "example:lowercase_admin": [["role:admin"], ["role:sysadmin"]],
-            "example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]],
+            "true": '@',
+            "example:allowed": '@',
+            "example:denied": "!",
+            "example:get_http": "http://www.example.com",
+            "example:my_file": "role:compute_admin or "
+                               "project_id:%(project_id)s",
+            "example:early_and_fail": "! and @",
+            "example:early_or_success": "@ or !",
+            "example:lowercase_admin": "role:admin or role:sysadmin",
+            "example:uppercase_admin": "role:ADMIN or role:sysadmin",
         }
         # NOTE(vish): then overload underlying brain
-        common_policy.set_brain(common_policy.HttpBrain(rules))
+        common_policy.set_rules(common_policy.Rules(
+                dict((k, common_policy.parse_rule(v))
+                     for k, v in rules.items())))
         self.context = context.RequestContext('fake', 'fake', roles=['member'])
         self.target = {}
 
@@ -104,9 +106,15 @@ class PolicyTestCase(test.TestCase):
         self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
                           self.context, action, self.target)
 
+    def test_enforce_bad_action_noraise(self):
+        action = "example:denied"
+        result = policy.enforce(self.context, action, self.target, False)
+        self.assertEqual(result, False)
+
     def test_enforce_good_action(self):
         action = "example:allowed"
-        policy.enforce(self.context, action, self.target)
+        result = policy.enforce(self.context, action, self.target)
+        self.assertEqual(result, True)
 
     def test_enforce_http_true(self):
 
@@ -116,7 +124,7 @@ class PolicyTestCase(test.TestCase):
         action = "example:get_http"
         target = {}
         result = policy.enforce(self.context, action, target)
-        self.assertEqual(result, None)
+        self.assertEqual(result, True)
 
     def test_enforce_http_false(self):
 
@@ -151,8 +159,8 @@ class PolicyTestCase(test.TestCase):
         # NOTE(dprince) we mix case in the Admin role here to ensure
         # case is ignored
         admin_context = context.RequestContext('admin',
-                                                'fake',
-                                                roles=['AdMiN'])
+                                               'fake',
+                                               roles=['AdMiN'])
         policy.enforce(admin_context, lowercase_action, self.target)
         policy.enforce(admin_context, uppercase_action, self.target)
 
@@ -165,17 +173,19 @@ class DefaultPolicyTestCase(test.TestCase):
         policy.init()
 
         self.rules = {
-            "default": [],
-            "example:exist": [["false:false"]]
+            "default": '',
+            "example:exist": "!",
         }
 
-        self._set_brain('default')
+        self._set_rules('default')
 
         self.context = context.RequestContext('fake', 'fake')
 
-    def _set_brain(self, default_rule):
-        brain = common_policy.HttpBrain(self.rules, default_rule)
-        common_policy.set_brain(brain)
+    def _set_rules(self, default_rule):
+        rules = common_policy.Rules(
+            dict((k, common_policy.parse_rule(v))
+                 for k, v in self.rules.items()), default_rule)
+        common_policy.set_rules(rules)
 
     def tearDown(self):
         super(DefaultPolicyTestCase, self).tearDown()
@@ -189,6 +199,34 @@ class DefaultPolicyTestCase(test.TestCase):
         policy.enforce(self.context, "example:noexist", {})
 
     def test_default_not_found(self):
-        self._set_brain("default_noexist")
+        self._set_rules("default_noexist")
         self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
                 self.context, "example:noexist", {})
+
+
+class IsAdminCheckTestCase(test.TestCase):
+    def test_init_true(self):
+        check = policy.IsAdminCheck('is_admin', 'True')
+
+        self.assertEqual(check.kind, 'is_admin')
+        self.assertEqual(check.match, 'True')
+        self.assertEqual(check.expected, True)
+
+    def test_init_false(self):
+        check = policy.IsAdminCheck('is_admin', 'nottrue')
+
+        self.assertEqual(check.kind, 'is_admin')
+        self.assertEqual(check.match, 'False')
+        self.assertEqual(check.expected, False)
+
+    def test_call_true(self):
+        check = policy.IsAdminCheck('is_admin', 'True')
+
+        self.assertEqual(check('target', dict(is_admin=True)), True)
+        self.assertEqual(check('target', dict(is_admin=False)), False)
+
+    def test_call_false(self):
+        check = policy.IsAdminCheck('is_admin', 'False')
+
+        self.assertEqual(check('target', dict(is_admin=True)), False)
+        self.assertEqual(check('target', dict(is_admin=False)), True)