From ae388911e0f4901fe5980cfdbd185cb542d4aa84 Mon Sep 17 00:00:00 2001
From: Hieu LE <hieulq@vn.fujitsu.com>
Date: Mon, 16 Oct 2017 10:59:00 +0700
Subject: [PATCH] Implement policy in code - client (end)

This commit migrate all client policies into code [1] and
also remove policy.json usage file completely.

Like oslo.config, with oslo.policy, we can define all of
default rules in code base and only change some rules
via policy file. Another thing that we should use yaml
format instead of json format.

[1] https://governance.openstack.org/tc/goals/queens/policy-in-code.html
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>

Change-Id: I7c7fd83aa2516c053e38d7598cf79e63401f7519
---
 devstack/lib/freezer-api                      |  1 -
 etc/freezer/policy.json                       |  6 --
 freezer_api/common/policies/__init__.py       |  2 +
 freezer_api/common/policies/client.py         | 69 +++++++++++++++++++
 freezer_api/tests/unit/common.py              | 27 +-------
 ...licy-and-doc-in-code-60163967ec604cbb.yaml | 14 ++++
 6 files changed, 87 insertions(+), 32 deletions(-)
 delete mode 100644 etc/freezer/policy.json
 create mode 100644 freezer_api/common/policies/client.py
 create mode 100644 releasenotes/notes/policy-and-doc-in-code-60163967ec604cbb.yaml

diff --git a/devstack/lib/freezer-api b/devstack/lib/freezer-api
index 1fdc5a56..f6fb537e 100644
--- a/devstack/lib/freezer-api
+++ b/devstack/lib/freezer-api
@@ -99,7 +99,6 @@ function configure_freezer_api {
 
     sudo cp $FREEZER_API_DIR/etc/freezer/freezer-api.conf.sample $FREEZER_API_CONF_DIR/freezer-api.conf
     sudo cp $FREEZER_API_DIR/etc/freezer/freezer-paste.ini $FREEZER_API_CONF_DIR/freezer-paste.ini
-    sudo cp $FREEZER_API_DIR/etc/freezer/policy.json $FREEZER_API_CONF_DIR/policy.json
 
     # enable debuging
     iniset $FREEZER_API_CONF 'DEFAULT' debug True
diff --git a/etc/freezer/policy.json b/etc/freezer/policy.json
deleted file mode 100644
index a10a50ec..00000000
--- a/etc/freezer/policy.json
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-    "clients:get_all": "",
-    "clients:create": "",
-    "clients:get": "",
-    "clients:delete": ""
-}
diff --git a/freezer_api/common/policies/__init__.py b/freezer_api/common/policies/__init__.py
index 93986d97..f4c686ff 100644
--- a/freezer_api/common/policies/__init__.py
+++ b/freezer_api/common/policies/__init__.py
@@ -20,6 +20,7 @@ import itertools
 from freezer_api.common.policies import action
 from freezer_api.common.policies import backup
 from freezer_api.common.policies import base
+from freezer_api.common.policies import client
 from freezer_api.common.policies import job
 from freezer_api.common.policies import session
 
@@ -29,6 +30,7 @@ def list_rules():
         action.list_rules(),
         backup.list_rules(),
         base.list_rules(),
+        client.list_rules(),
         job.list_rules(),
         session.list_rules()
     )
diff --git a/freezer_api/common/policies/client.py b/freezer_api/common/policies/client.py
new file mode 100644
index 00000000..654908d1
--- /dev/null
+++ b/freezer_api/common/policies/client.py
@@ -0,0 +1,69 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+from oslo_policy import policy
+
+from freezer_api.common.policies import base
+
+CLIENTS = 'clients:%s'
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name=CLIENTS % 'create',
+        check_str=base.UNPROTECTED,
+        description='Create client entry.',
+        operations=[
+            {
+                'path': '/v1/clients',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=CLIENTS % 'delete',
+        check_str=base.UNPROTECTED,
+        description='Delete specified client.',
+        operations=[
+            {
+                'path': '/v1/clients/{client_id}',
+                'method': 'DELETE'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=CLIENTS % 'get',
+        check_str=base.UNPROTECTED,
+        description='Show clients.',
+        operations=[
+            {
+                'path': '/v1/clients/{client_id}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=CLIENTS % 'get_all',
+        check_str=base.UNPROTECTED,
+        description='List clients.',
+        operations=[
+            {
+                'path': '/v1/clients',
+                'method': 'GET'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules
diff --git a/freezer_api/tests/unit/common.py b/freezer_api/tests/unit/common.py
index b60a61a5..0cd4feaf 100644
--- a/freezer_api/tests/unit/common.py
+++ b/freezer_api/tests/unit/common.py
@@ -19,7 +19,6 @@ limitations under the License.
 import copy
 import io
 import os
-import shutil
 
 import fixtures
 from oslo_config import cfg
@@ -27,7 +26,6 @@ from oslo_config import fixture as cfg_fixture
 import testtools
 
 from freezer_api.common import config
-from freezer_api.common import exceptions
 from freezer_api import policy
 
 CONF = cfg.CONF
@@ -435,26 +433,8 @@ class FreezerBaseTestCase(testtools.TestCase):
         self.test_dir = self.useFixture(fixtures.TempDir()).path
         self.conf_dir = os.path.join(self.test_dir, 'etc')
         os.makedirs(self.conf_dir)
-        self.configure_policy()
-        policy.ENFORCER = FakePolicyEnforcer()
-
-    def configure_policy(self):
-        src_policy_file = 'etc/freezer/policy.json'
-        # copy policy file to test config dir
-        shutil.copy(src_policy_file, self.conf_dir)
-        policy_file = os.path.join(self.conf_dir, 'policy.json')
-        self._config_fixture.config(policy_file=policy_file,
-                                    group='oslo_policy')
-
-
-class FakePolicyEnforcer(object):
-    def __init__(self, *args, **kwargs):
-        self.rules = {}
-
-    def enforce(self, rule, action, ctxt, do_raise=True,
-                exc=exceptions.AccessForbidden):
-        if self.rules.get(rule) is False:
-            raise exceptions.AccessForbidden()
+        policy.ENFORCER = None
+        policy.setup_policy(CONF)
 
 
 class FakeContext(object):
@@ -468,6 +448,3 @@ class FakeContext(object):
 def get_req_items(name):
     req_info = {'freezer.context': FakeContext()}
     return req_info[name]
-
-
-policy.ENFORCER = FakePolicyEnforcer()
diff --git a/releasenotes/notes/policy-and-doc-in-code-60163967ec604cbb.yaml b/releasenotes/notes/policy-and-doc-in-code-60163967ec604cbb.yaml
new file mode 100644
index 00000000..1edd7524
--- /dev/null
+++ b/releasenotes/notes/policy-and-doc-in-code-60163967ec604cbb.yaml
@@ -0,0 +1,14 @@
+---
+features:
+  - |
+    Freezer now support policy in code, which means if users didn't modify
+    any of policy rules, they can remove or comment out all of rules in
+    policy file or even not deploy it at all. Because from now, Freezer
+    keeps all default policies under `freezer-api/common/policies` module.
+    Users can still modify/generate `policy.yaml` file which will override
+    policy rules in code if those rules show in `policy.yaml` file.
+other:
+  - |
+    Default `policy.json` file is now removed as Freezer now generate the
+    default policies in code. Please be aware that when using that file in your
+    environment.