From d414b46c59d89bda9a9d09dffb190cf08df6e9b7 Mon Sep 17 00:00:00 2001
From: Steven Hardy <shardy@redhat.com>
Date: Fri, 22 Nov 2013 18:17:01 +0000
Subject: [PATCH] Add check_is_admin to common.policy.Enforcer

Currently we have no concept of admin-ness inside Heat, so it's
not possible for deployers to specify a hierarchy within a project
such that some users have more privileged access than others.

The first step is to provide a means to specify in the policy a
rule which describes who is admin, then we can correctly set
is_admin in the context based on that rule.

blueprint: request-scoping-policy

Change-Id: Idd1fb5f4e52bda87c70830d66e0c931bfe879347
---
 heat/common/policy.py              |  8 ++++++++
 heat/tests/policy/check_admin.json |  3 +++
 heat/tests/test_common_policy.py   | 14 ++++++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 heat/tests/policy/check_admin.json

diff --git a/heat/common/policy.py b/heat/common/policy.py
index e5b68977e5..f1e13f6e1d 100644
--- a/heat/common/policy.py
+++ b/heat/common/policy.py
@@ -95,5 +95,13 @@ class Enforcer(object):
         """
         return self._check(context, action, target)
 
+    def check_is_admin(self, context):
+        """Whether or not roles contains 'admin' role according to policy.json
+
+           :param context: Heat request context
+           :returns: A non-False value if the user is admin according to policy
+        """
+        return self._check(context, 'context_is_admin', target={}, exc=None)
+
     def clear(self):
         self.enforcer.clear()
diff --git a/heat/tests/policy/check_admin.json b/heat/tests/policy/check_admin.json
new file mode 100644
index 0000000000..96a15c83c3
--- /dev/null
+++ b/heat/tests/policy/check_admin.json
@@ -0,0 +1,3 @@
+{
+    "context_is_admin":  "role:admin"
+}
diff --git a/heat/tests/test_common_policy.py b/heat/tests/test_common_policy.py
index fab3055483..4bc7048e06 100644
--- a/heat/tests/test_common_policy.py
+++ b/heat/tests/test_common_policy.py
@@ -173,3 +173,17 @@ class TestPolicyEnforcer(HeatTestCase):
                                    exc=None, default_rule=default_rule)
         action = 'no_such_action'
         self.assertFalse(enforcer.enforce(ctx, action))
+
+    def test_check_admin(self):
+        self.stub_policyfile('check_admin.json')
+
+        enforcer = policy.Enforcer()
+
+        ctx = utils.dummy_context(roles=[])
+        self.assertFalse(enforcer.check_is_admin(ctx))
+
+        ctx = utils.dummy_context(roles=['not_admin'])
+        self.assertFalse(enforcer.check_is_admin(ctx))
+
+        ctx = utils.dummy_context(roles=['admin'])
+        self.assertTrue(enforcer.check_is_admin(ctx))