Use oslo.policy instead of incubated version

* pull in oslo.policy
* account for changes to Enforcer initialization
* account for changes to config options

partially implements bp graduate-policy

Change-Id: Ia23afda5acf92cdc4578ec4c85821603c56d3097

config-generator/keystone.conf

@@ -4,9 +4,9 @@ wrap_width = 79
 namespace = keystone
 namespace = keystone.notifications
 namespace = keystone.openstack.common.eventlet_backdoor
-namespace = keystone.openstack.common.policy
 namespace = oslo.log
 namespace = oslo.messaging
+namespace = oslo.policy
 namespace = oslo.db
 namespace = oslo.middleware
 # We don't use oslo.concurrency config options in

keystone/policy/backends/rules.py

@@ -15,14 +15,11 @@
 
 """Policy engine for keystone"""
 
-import os.path
-
 from oslo_config import cfg
 from oslo_log import log
+from oslo_policy import policy as common_policy
 
-from keystone.common import utils
 from keystone import exception
-from keystone.openstack.common import policy as common_policy
 from keystone import policy
 
 
@@ -31,42 +28,17 @@ LOG = log.getLogger(__name__)
 
 
 _ENFORCER = None
-_POLICY_PATH = None
-_POLICY_CACHE = {}
 
 
 def reset():
-    global _POLICY_PATH
-    global _POLICY_CACHE
     global _ENFORCER
-    _POLICY_PATH = None
-    _POLICY_CACHE = {}
     _ENFORCER = None
 
 
 def init():
-    global _POLICY_PATH
-    global _POLICY_CACHE
     global _ENFORCER
-    if not _POLICY_PATH:
-        _POLICY_PATH = CONF.policy_file
-        if not os.path.exists(_POLICY_PATH):
-            _POLICY_PATH = CONF.find_file(_POLICY_PATH)
     if not _ENFORCER:
-        _ENFORCER = common_policy.Enforcer(policy_file=_POLICY_PATH)
-    utils.read_cached_file(_POLICY_PATH,
-                           _POLICY_CACHE,
-                           reload_func=_set_rules)
-
-
-def _set_rules(data):
-    global _ENFORCER
-    default_rule = CONF.policy_default_rule
-    try:
-        _ENFORCER.set_rules(common_policy.Rules.load_json(
-            data, default_rule))
-    except ValueError:
-        raise exception.PolicyParsingError(policy_file=_POLICY_PATH)
+        _ENFORCER = common_policy.Enforcer(CONF)
 
 
 def enforce(credentials, action, target, do_raise=True):

keystone/tests/unit/core.py

@@ -52,18 +52,13 @@ from keystone import controllers
 from keystone import exception
 from keystone.i18n import _LW
 from keystone import notifications
+from keystone.policy.backends import rules
 from keystone.server import common
 from keystone import service
 from keystone.tests.unit import ksfixtures
 from keystone.tests.unit import utils
 
 
-# NOTE(dstanek): Tests inheriting from TestCase depend on having the
-#   policy_file command-line option declared before setUp runs. Importing the
-#   oslo policy module automatically declares the option.
-from keystone.openstack.common import policy as common_policy  # noqa
-
-
 config.configure()
 
 LOG = log.getLogger(__name__)
@@ -86,6 +81,7 @@ TMPDIR = _calc_tmpdir()
 
 CONF = cfg.CONF
 log.register_options(CONF)
+rules.init()
 
 IN_MEM_DB_CONN_STRING = 'sqlite://'
 
@@ -307,7 +303,8 @@ class TestCase(BaseTestCase):
     def config_overrides(self):
         signing_certfile = 'examples/pki/certs/signing_cert.pem'
         signing_keyfile = 'examples/pki/private/signing_key.pem'
-        self.config_fixture.config(policy_file=dirs.etc('policy.json'))
+        self.config_fixture.config(group='oslo_policy',
+                                   policy_file=dirs.etc('policy.json'))
         self.config_fixture.config(
             # TODO(morganfainberg): Make Cache Testing a separate test case
             # in tempest, and move it out of the base unit tests.

keystone/tests/unit/test_policy.py

@@ -16,12 +16,12 @@
 import json
 
 import mock
+from oslo_policy import policy as common_policy
 import six
 from six.moves.urllib import request as urlrequest
 from testtools import matchers
 
 from keystone import exception
-from keystone.openstack.common import policy as common_policy
 from keystone.policy.backends import rules
 from keystone.tests import unit as tests
 from keystone.tests.unit.ksfixtures import temporaryfile
@@ -42,7 +42,8 @@ class PolicyFileTestCase(tests.TestCase):
 
     def config_overrides(self):
         super(PolicyFileTestCase, self).config_overrides()
-        self.config_fixture.config(policy_file=self.tmpfilename)
+        self.config_fixture.config(group='oslo_policy',
+                                   policy_file=self.tmpfilename)
 
     def test_modified_policy_reloads(self):
         action = "example:test"
@@ -52,8 +53,7 @@ class PolicyFileTestCase(tests.TestCase):
         rules.enforce(empty_credentials, action, self.target)
         with open(self.tmpfilename, "w") as policyfile:
             policyfile.write("""{"example:test": ["false:false"]}""")
-        # NOTE(vish): reset stored policy cache so we don't have to sleep(1)
-        rules._POLICY_CACHE = {}
+        rules._ENFORCER.clear()
         self.assertRaises(exception.ForbiddenAction, rules.enforce,
                           empty_credentials, action, self.target)
 
@@ -63,7 +63,7 @@ class PolicyFileTestCase(tests.TestCase):
         invalid_json = '{"example:test": [],}'
         with open(self.tmpfilename, "w") as policyfile:
             policyfile.write(invalid_json)
-        self.assertRaises(exception.PolicyParsingError, rules.enforce,
+        self.assertRaises(ValueError, rules.enforce,
                           empty_credentials, action, self.target)
 
 
@@ -93,8 +93,7 @@ class PolicyTestCase(tests.TestCase):
         self.target = {}
 
     def _set_rules(self):
-        these_rules = common_policy.Rules(
-            {k: common_policy.parse_rule(v)for k, v in self.rules.items()})
+        these_rules = common_policy.Rules.from_dict(self.rules)
         rules._ENFORCER.set_rules(these_rules)
 
     def test_enforce_nonexistent_action_throws(self):
@@ -187,9 +186,7 @@ class DefaultPolicyTestCase(tests.TestCase):
         setattr(rules._ENFORCER, 'load_rules', lambda *args, **kwargs: None)
 
     def _set_rules(self, default_rule):
-        these_rules = common_policy.Rules(
-            {k: common_policy.parse_rule(v) for k, v in self.rules.items()},
-            default_rule)
+        these_rules = common_policy.Rules.from_dict(self.rules, default_rule)
         rules._ENFORCER.set_rules(these_rules)
 
     def test_policy_called(self):

keystone/tests/unit/test_v3_auth.py

@@ -567,13 +567,14 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
                                          domain_id=self.domainA['id'])
 
         # Finally, switch to the v3 sample policy file
-        self.orig_policy_file = CONF.policy_file
+        self.orig_policy_file = CONF.oslo_policy.policy_file
         from keystone.policy.backends import rules
         rules.reset()
 
     def config_overrides(self):
         super(TestTokenRevokeSelfAndAdmin, self).config_overrides()
         self.config_fixture.config(
+            group='oslo_policy',
             policy_file=tests.dirs.etc('policy.v3cloudsample.json'))
 
     def test_user_revokes_own_token(self):

keystone/tests/unit/test_v3_filters.py

@@ -38,11 +38,12 @@ class IdentityTestFilteredCase(filtering.FilterTests,
 
         # Initialize the policy engine and allow us to write to a temp
         # file in each test to create the policies
-        self.orig_policy_file = CONF.policy_file
+        self.orig_policy_file = CONF.oslo_policy.policy_file
         rules.reset()
         self.tempfile = self.useFixture(temporaryfile.SecureTempFile())
         self.tmpfilename = self.tempfile.file_name
-        self.config_fixture.config(policy_file=self.tmpfilename)
+        self.config_fixture.config(group='oslo_policy',
+                                   policy_file=self.tmpfilename)
 
         # drop the policy rules
         self.addCleanup(rules.reset)

keystone/tests/unit/test_v3_oauth1.py

@@ -574,7 +574,8 @@ class AuthTokenTests(OAuthFlowTests):
     def _set_policy(self, new_policy):
         self.tempfile = self.useFixture(temporaryfile.SecureTempFile())
         self.tmpfilename = self.tempfile.file_name
-        self.config_fixture.config(policy_file=self.tmpfilename)
+        self.config_fixture.config(group='oslo_policy',
+                                   policy_file=self.tmpfilename)
         with open(self.tmpfilename, "w") as policyfile:
             policyfile.write(jsonutils.dumps(new_policy))
 

keystone/tests/unit/test_v3_protection.py

@@ -59,7 +59,8 @@ class IdentityTestProtectedCase(test_v3.RestfulTestCase):
         rules.reset()
         self.tempfile = self.useFixture(temporaryfile.SecureTempFile())
         self.tmpfilename = self.tempfile.file_name
-        self.config_fixture.config(policy_file=self.tmpfilename)
+        self.config_fixture.config(group='oslo_policy',
+                                   policy_file=self.tmpfilename)
 
         # A default auth request we can use - un-scoped user token
         self.auth = self.build_authentication_request(
@@ -377,6 +378,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
         self.addCleanup(rules.reset)
         rules.reset()
         self.config_fixture.config(
+            group='oslo_policy',
             policy_file=tests.dirs.etc('policy.v3cloudsample.json'))
 
     def load_sample_data(self):

requirements-py3.txt

@@ -27,6 +27,7 @@ oslo.db>=1.5.0  # Apache-2.0
 oslo.i18n>=1.3.0  # Apache-2.0
 oslo.log>=0.4.0  # Apache-2.0
 oslo.middleware>=0.3.0                  # Apache-2.0
+oslo.policy>=0.3.0  # Apache-2.0
 oslo.serialization>=1.2.0               # Apache-2.0
 oslo.utils>=1.2.0                       # Apache-2.0
 oauthlib>=0.6

requirements.txt

@@ -26,6 +26,7 @@ oslo.db>=1.5.0  # Apache-2.0
 oslo.i18n>=1.3.0  # Apache-2.0
 oslo.log>=0.4.0  # Apache-2.0
 oslo.middleware>=0.3.0                  # Apache-2.0
+oslo.policy>=0.3.0  # Apache-2.0
 oslo.serialization>=1.2.0               # Apache-2.0
 oslo.utils>=1.2.0                       # Apache-2.0
 oauthlib>=0.6

setup.cfg

@@ -67,4 +67,3 @@ oslo.config.opts =
     keystone = keystone.common.config:list_opts
     keystone.notifications = keystone.notifications:list_opts
     keystone.openstack.common.eventlet_backdoor = keystone.openstack.common.eventlet_backdoor:list_opts
-    keystone.openstack.common.policy = keystone.openstack.common.policy:list_opts