Merge "Enforce policy before resource.validate"

heat/engine/service.py

@@ -698,6 +698,7 @@ class EngineService(service.Service):
                              parent_resource=parent_resource_name,
                              **common_params)
 
+        self.resource_enforcer.enforce_stack(stack)
         self._validate_deferred_auth_context(cnxt, stack)
         stack.validate()
         # For the root stack print a summary of the TemplateResources loaded
@@ -736,7 +737,6 @@ class EngineService(service.Service):
                                                         args,
                                                         convergence=conv_eng)
 
-        self.resource_enforcer.enforce_stack(stack)
         return api.format_stack_preview(stack)
 
     @context.request_context
@@ -802,7 +802,6 @@ class EngineService(service.Service):
             stack_user_project_id, convergence, parent_resource_name,
             template_id)
 
-        self.resource_enforcer.enforce_stack(stack)
         stack_id = stack.store()
         if cfg.CONF.reauthentication_auth_method == 'trusts':
             stack = parser.Stack.load(

heat/tests/test_engine_service.py

@@ -24,6 +24,7 @@ from heat.common import context
 from heat.common import environment_util as env_util
 from heat.common import exception
 from heat.common import identifier
+from heat.common import policy
 from heat.common import template_format
 from heat.engine.cfn import template as cfntemplate
 from heat.engine import environment
@@ -1181,6 +1182,7 @@ class StackServiceTest(common.HeatTestCase):
     @mock.patch.object(service.api, 'format_stack_preview', new=mock.Mock())
     @mock.patch.object(service.parser, 'Stack')
     def test_preview_stack_checks_stack_validity(self, mock_parser):
+        self.patchobject(policy.ResourceEnforcer, 'enforce_stack')
         exc = exception.StackValidationFailed(message='Validation Failed')
         mock_parsed_stack = mock.Mock()
         mock_parsed_stack.validate.side_effect = exc