Merge "Add check_is_admin to common.policy.Enforcer"

2013-11-28 11:56:52 +00:00 · 2013-11-28 11:56:52 +00:00 · 1aa3ce7460
commit 1aa3ce7460
parent 56fd270731 d414b46c59
3 changed files with 25 additions and 0 deletions
--- a/heat/common/policy.py
+++ b/heat/common/policy.py
@ -95,5 +95,13 @@ class Enforcer(object):
        """
        return self._check(context, action, target)

+    def check_is_admin(self, context):
+        """Whether or not roles contains 'admin' role according to policy.json
+
+           :param context: Heat request context
+           :returns: A non-False value if the user is admin according to policy
+        """
+        return self._check(context, 'context_is_admin', target={}, exc=None)
+
    def clear(self):
        self.enforcer.clear()
--- a/heat/tests/policy/check_admin.json
+++ b/heat/tests/policy/check_admin.json
@ -0,0 +1,3 @@
+{
+    "context_is_admin":  "role:admin"
+}
--- a/heat/tests/test_common_policy.py
+++ b/heat/tests/test_common_policy.py
@ -173,3 +173,17 @@ class TestPolicyEnforcer(HeatTestCase):
                                   exc=None, default_rule=default_rule)
        action = 'no_such_action'
        self.assertFalse(enforcer.enforce(ctx, action))
+
+    def test_check_admin(self):
+        self.stub_policyfile('check_admin.json')
+
+        enforcer = policy.Enforcer()
+
+        ctx = utils.dummy_context(roles=[])
+        self.assertFalse(enforcer.check_is_admin(ctx))
+
+        ctx = utils.dummy_context(roles=['not_admin'])
+        self.assertFalse(enforcer.check_is_admin(ctx))
+
+        ctx = utils.dummy_context(roles=['admin'])
+        self.assertTrue(enforcer.check_is_admin(ctx))